Not relevant to the subject. We're talking about where somebody is
maliciously making you think you're clicking on "www.youtube.com" when in
fact you're clicking on "www.ILikeSpam.com".
Somebody linking to one domain with an image hosted on another domain has
plenty of possibility to be legit.
Y
you should be able to check against img src content, right?
2011/10/14 Christian Grunfeld :
> and what about when there is no anchor text in the link ? eg. paypal
> image button
>
>
> 2011/10/14 :
>> Existing rule:
>>
>> rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\#
>> ]{8,
None of these rules will hit that. That's what the second "http" is for.
"Hit the host name part of the href value of an anchor tag, then do *not*
match the same host name in the value part of the anchor, then hit 'href'".
I should've called it SPOOFED_URL_HOST, because this one is matching the
f
On 10/13, Adam Katz wrote:
> PS: As an SA Committer, do I have access to those logs?
Don't think so, but you can just ask for a regular masscheck account if you
don't already have one, and with that account do:
rsync --exclude '*~' -vaz "rsync.spamassassin.org::corpus" ./
--
"I'd rather be hap
and what about when there is no anchor text in the link ? eg. paypal
image button
2011/10/14 :
> Existing rule:
>
> rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\#
> ]{8,29}[^>"'\#
> :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1
Existing rule:
rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\#
]{8,29}[^>"'\#
:\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
How about this, to only check for a changed domain part instead?
rawbody SPOOFED_URL_DOMAIN
On 10/14, dar...@chaosreigns.com wrote:
> rawbody __SPOOFED_URL
> m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\#
> :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
> I agree it seems like we should be able to improve it.
On 10/14, Matus UHLAR - fantomas wrote:
> While I have no doubt there is much of wanted mail with URL and text
> mismatch, I still would like to have such rule.
It exists, you're welcome to copy it out of the rules sandbox and use it,
false positives and all. I already linked to it:
http://svn.ap
On 10/12, Christian Grunfeld wrote:
Many phishing mails exploit the bad knowledge of the difference
between real url and link anchor text by simple users. So they show
On 10/12/2011 2:25 PM, dar...@chaosreigns.com wrote:
Does spamassassin really not have a rule to detect this? I just dug
up
The official spamassasin release process drives me nuts, so I set up almost
completely automated monthly releases for Ubuntu.
Packages in this PPA have been tested at least by me on my server for a
month: https://launchpad.net/~spamassassin/+archive/spamassassin-monthly
The version I'm currently
On 10/13/2011 9:43 PM, Rob McEwen wrote:
On 10/14/2011 12:05 AM, Marc Perkel wrote:
OK - I didn't deliberately blacklist them. I found a bug in my yellow
listing code
No system or person or group of people is perfect and we ALL make
mistakes... even big mistakes from time to time... and even
11 matches
Mail list logo
