SA Bugzilla – Bug 4372
Spoofing rule
Last modified: 2006-03-06 20:59:37 UTC
Hi, I think it would be a good idea to add a rule that flags tags like <a href="some_url">another_url</a> ie messages that masquerade a real link as a text-colorized url Honest mails either have some_url=another_url or put a real meaningful text in the link But then it seems such a simple thing to do there must be good reasons it's not implemented yet - I get tons of fake ebay messages that seem to use this pattern
I suspect that a link like <a href="http://www.example.com/dirname/pagename.htm#section">www.example.com</a> might be used to direct people to a specific page/section of a web site, but have just the domain in the display text for aesthetic purposes. However, links like <a href="http://mysub.example.com/myspoof/fakeit.asp">www.yourbank.com</a> certainly would suggest spam/scam. Won't know how truly valuable such a test will be until someone codes it and we mass-check. Triage: I'm guessing noone will be able to do so before the 3.1 scoring pass, so I'm provisionally flagging this for 3.2, but hoping it'll be done sooner.
So far the spammers/spoofers are not that smart : they use <a href="http://mysub.example.com/myspoof/fakeit.asp">http://www.ebay.com/...</a>
Subject: Re: Spoofing rule Essentially this case has been discussed a number of times. I submitted a bug on it a while back. There are or have been some rules similar to this tested, and it turns out that they for the most part get very lousy hit ratios. Especially commercial newletters and the like tend to put hostnames and text that are both formatted as hostnames, but are quite different. Even checking for http: in the real link and https: in the display link gets a bad hit ratio. The only one that comes close to working is checking for http://\d in the actual link and https://[a-z] in the display link. Even it (as best I recall) has too low a hit ratio to make it into the standard rules. Now, all that said, SARE has several rules of this sort that work quite well at catching specifc phish attempts, and even some general attempts. But our limit on the S/O ratio we will accept is lower than the Dev's limit.
If you tell me this will catch malformed commercial newsletters too I'm all for it. They are borderline spam anyway - they hit so many other SA rules I don't see how they can be taken as an argument against this one. I don't see why newsletter writers should be exempted from sanitazing their messages like everyone else - if your business model depends of sending commercial mails, you can be expected to budget for sending correct mail
this has been discussed and tested already. it has a bad S/O and wasn't promoted. see bug 4255 for more info. *** This bug has been marked as a duplicate of 4255 ***