|
SA Bugzilla – Full Text Bug Listing |
Summary: | Spoofing rule | ||
---|---|---|---|
Product: | Spamassassin | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
Component: | Rules | Assignee: | SpamAssassin Developer Mailing List <dev> |
Status: | RESOLVED DUPLICATE | ||
Severity: | enhancement | ||
Priority: | P5 | ||
Version: | 3.0.3 | ||
Target Milestone: | 3.2.0 | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: |
Description
Nicolas Mailhot
2005-05-26 14:17:51 UTC
I suspect that a link like <a href="http://www.example.com/dirname/pagename.htm#section">www.example.com</a> might be used to direct people to a specific page/section of a web site, but have just the domain in the display text for aesthetic purposes. However, links like <a href="http://mysub.example.com/myspoof/fakeit.asp">www.yourbank.com</a> certainly would suggest spam/scam. Won't know how truly valuable such a test will be until someone codes it and we mass-check. Triage: I'm guessing noone will be able to do so before the 3.1 scoring pass, so I'm provisionally flagging this for 3.2, but hoping it'll be done sooner. So far the spammers/spoofers are not that smart : they use <a href="http://mysub.example.com/myspoof/fakeit.asp">http://www.ebay.com/...</a> Subject: Re: Spoofing rule Essentially this case has been discussed a number of times. I submitted a bug on it a while back. There are or have been some rules similar to this tested, and it turns out that they for the most part get very lousy hit ratios. Especially commercial newletters and the like tend to put hostnames and text that are both formatted as hostnames, but are quite different. Even checking for http: in the real link and https: in the display link gets a bad hit ratio. The only one that comes close to working is checking for http://\d in the actual link and https://[a-z] in the display link. Even it (as best I recall) has too low a hit ratio to make it into the standard rules. Now, all that said, SARE has several rules of this sort that work quite well at catching specifc phish attempts, and even some general attempts. But our limit on the S/O ratio we will accept is lower than the Dev's limit. If you tell me this will catch malformed commercial newsletters too I'm all for it. They are borderline spam anyway - they hit so many other SA rules I don't see how they can be taken as an argument against this one. I don't see why newsletter writers should be exempted from sanitazing their messages like everyone else - if your business model depends of sending commercial mails, you can be expected to budget for sending correct mail |