Bug 4112 - rule to detect misleading hyperlinks
Summary: rule to detect misleading hyperlinks
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.63
Hardware: Other other
: P5 enhancement
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-28 14:34 UTC by Greg Jan
Modified: 2005-02-17 15:07 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Greg Jan 2005-01-28 14:34:15 UTC 
(Sigh) I'm so sick of getting phishing emails.  A common characteristic seems to be the use of 
misleading hyperlinks, as in this example:

<a href="http://email.apollo-cn.idv.tw/webmail/database/.wamu/"
>https://login.personal.wamu.com/registration/CreateLogonEntry.asp</a>

A rule could be

<\s*a\s+href\s*=\s*['"](.*?)['"]\s*>(https?:.*?)</\s*a\s*>

where $1 != $2.  But I don't know how to express that kind of condition as a simple regular expression.

Please forgive me if this RFE is off-base... I'm not a spamassassin expert, just a satisfied user.
Comment 1 Loren Wilton 2005-01-28 19:22:24 UTC 
Subject: Re:   New: rule to detect misleading hyperlinks

Good idea, and expressiable in an regex.  But it doesn't work well.
There are too many legit sites that do things where there is a chanracter or
two difference between the uris, or they are even completely different.
This is especially bad in newsletters.

This is probably a case where more specifically targeted rules will have a
better chance of working.  SARE has a number of anti-phishing rules that
work fairly well, although they could be improved.  WAMU in particular is a
fairly new phishing target.
Comment 2 Daniel Quinlan 2005-02-18 00:07:55 UTC 
Unfortunately, this is really common in legitimate mail.  Don't ask me
why, but it is... I've tested this idea before quite extensively.