On Wed, 2009-03-18 at 07:20 -0700, Dennis Peterson wrote: > Erwan David wrote: > > On Wed, Mar 18, 2009 at 01:55:14PM CET, Dennis Peterson > > <denni...@inetnw.com> said: > >> Moray Henderson (ICT) wrote: > >>>> From: Török Edwin [mailto:edwinto...@gmail.com] > >>>>>> Try using <a href="..."> for the URL. > >>>>>> > >>>>> Is that a requirement? If so we should get the spammers on board because > >>>> some of > >>>>> them may not know this :). > >>>> No, there are more places from where URLs can be extracted, but "<a > >>>> href" is one that must work. > >>> With modern email clients "helpfully" presenting text that looks like a > >>> URL as a real URL at the client end, SafeBrowsing really ought to check > >>> the plain text, not just within html tags. http://pastebin.com/m13232c54 > >>> may be just plain text when transmitted and scanned, but it's an "<a > >>> href>" by the time I read it: underlined, blue, and turns my cursor to a > >>> pointy finger with a pop-up box saying "Click to follow link". > >> I don't imagine the world's premier spammers are sitting at their laptop > >> in > >> their shorts sending out thousands of spams with Thunderbird. There are > >> purpose > >> built products for this and can format the mail any way they wish. > >> > > > > What was said is that many MUA, *receiving* a mail with an URL in the > > text will automatically create a link from it. It has bothing to do > > with the sending software. > > > > > > I see - I think we're all recommending that ClamAV detect URL's regardless of > how they're presented in the message.
While the more opaque methods might be interesting, finding simple plain-text links would be most useful. Thus far, running the Safebrowsing signatures for 2 days, I have not had a single hit "in the wild", but I am not yet running it on the primary MX. On that same box, in the same time period, I have detected 211 distinct Sanesecurity signatures and one official one (Worm.Mydoom.M - 10 copies) amongst 607 infected mails. My primary MX sees about 10 times the traffic, so we'll see if it is any better next week when I run the released version, but for now it appears to be a bit of a bust. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
