Bug 4372 - Spoofing rule
Summary: Spoofing rule
Status: RESOLVED DUPLICATE of bug 4255
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.0.3
Hardware: All All
: P5 enhancement
Target Milestone: 3.2.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-26 14:17 UTC by Nicolas Mailhot
Modified: 2006-03-06 20:59 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nicolas Mailhot 2005-05-26 14:17:51 UTC 
Hi,

I think it would be a good idea to add a rule that flags tags like
<a href="some_url">another_url</a>

ie messages that masquerade a real link as a text-colorized url

Honest mails either have some_url=another_url or put a real meaningful text in
the link

But then it seems such a simple thing to do there must be good reasons it's not
implemented yet - I get tons of fake ebay messages that seem to use this pattern
Comment 1 Bob Menschel 2005-05-26 21:06:02 UTC 
I suspect that a link like
<a
href="http://www.example.com/dirname/pagename.htm#section">www.example.com</a>
might be used to direct people to a specific page/section of a web site, but
have just the domain in the display text for aesthetic purposes. 

However, links like
<a href="http://mysub.example.com/myspoof/fakeit.asp">www.yourbank.com</a>
certainly would suggest spam/scam. 

Won't know how truly valuable such a test will be until someone codes it and we
mass-check.

Triage: I'm guessing noone will be able to do so before the 3.1 scoring pass, so
I'm provisionally flagging this for 3.2, but hoping it'll be done sooner.
Comment 2 Nicolas Mailhot 2005-05-27 00:18:00 UTC 
So far the spammers/spoofers are not that smart : they use

<a href="http://mysub.example.com/myspoof/fakeit.asp">http://www.ebay.com/...</a>
Comment 3 Loren Wilton 2005-05-27 01:44:49 UTC 
Subject: Re:  Spoofing rule

Essentially this case has been discussed a number of times.  I submitted a
bug on it a while back.  There are or have been some rules similar to this
tested, and it turns out that they for the most part get very lousy hit
ratios.  Especially commercial newletters and the like tend to put hostnames
and text that are both formatted as hostnames, but are quite different.
Even checking for http: in the real link and https: in the display link gets
a bad hit ratio.  The only one that comes close to working is checking for
http://\d in the actual link and https://[a-z] in the display link.  Even it
(as best I recall) has too low a hit ratio to make it into the standard
rules.

Now, all that said, SARE has several rules of this sort that work quite well
at catching specifc phish attempts, and even some general attempts.  But our
limit on the S/O ratio we will accept is lower than the Dev's limit.
Comment 4 Nicolas Mailhot 2005-05-27 02:01:18 UTC 
If you tell me this will catch malformed commercial newsletters too I'm all for it.

They are borderline spam anyway - they hit so many other SA rules I don't see
how they can be taken as an argument against this one.

I don't see why newsletter writers should be exempted from sanitazing their
messages like everyone else - if your business model depends of sending
commercial mails, you can be expected to budget for sending correct mail
Comment 5 Theo Van Dinter 2006-03-07 04:59:37 UTC 
this has been discussed and tested already.  it has a bad S/O and wasn't promoted.  see bug 4255 for 
more info.

*** This bug has been marked as a duplicate of 4255 ***