> Even worse:
> http://123.456.78.90/page";>https://example.com/page
>
> You can throw in a few extra points for an onMouseOver clause
> that sets the status bar to https ... :)
Would you believe that there is no reasonable way to detect that last one
currently with SA? Which is a shame, since it
Please visit http://phisher.com/path/to/page";>http://example.com/page
Those ones, indeed.
And, IMO easier to detect, and worthy of a higher score:
http://phisher.com/page";>https://example.com/page
Even worse:
http://123.456.78.90/page";>https://example.com/page
You can throw in a few extra points
At 15:53 15/09/2004, John Wilcock wrote:
On Wed, 15 Sep 2004 10:03:02 -0400, Chris Santerre wrote:
> What about all those image caching services?
> They would all get tagged, which is a large amount of legit newsletters.
I suspect we're talking at cross purposes. I assumed that Julian's
original qu
On Wed, 15 Sep 2004 10:03:02 -0400, Chris Santerre wrote:
> What about all those image caching services?
> They would all get tagged, which is a large amount of legit newsletters.
I suspect we're talking at cross purposes. I assumed that Julian's
original query was about cases where the text to b
>-Original Message-
>From: Chr. von Stuckrad [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, September 15, 2004 5:41 AM
>To: users@spamassassin.apache.org
>Subject: Re: Phishing obfuscated url detection
>
>
>On Wed, Sep 15, 2004 at 02:17:15AM -0700, Jeff Cha
Original Message-
From: Jeff Chan <[EMAIL PROTECTED]>
To: users@spamassassin.apache.org
Date: Wed, 15 Sep 2004 02:57:13 -0700
Subject: Re: Phishing obfuscated url detection
> On Wednesday, September 15, 2004, 2:41:14 AM, Chr. Stuckrad wrote:
> > On Wed, Sep 15, 2004 at 02:17:1
:13 -0700
Subject: Re: Phishing obfuscated url detection
> On Wednesday, September 15, 2004, 2:41:14 AM, Chr. Stuckrad wrote:
> > On Wed, Sep 15, 2004 at 02:17:15AM -0700, Jeff Chan wrote:
> >> On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote:
> >> > ... I
> > In most phishing scams, the real address of a URL is unrelated to the
link
> > text that appears in the mail client. Is it possible to detect where
> > bar
> > and foo and bar are unrelated domains?
> >
> I guess the question boils down to "can backreferences be used in
> regexes for SA rules"?
On Wednesday, September 15, 2004, 2:41:14 AM, Chr. Stuckrad wrote:
> On Wed, Sep 15, 2004 at 02:17:15AM -0700, Jeff Chan wrote:
>> On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote:
>> > ... Is it possible to detect where
>> > bar
>> > and foo and bar are unrelated domains?
>>
>> Th
On Wed, Sep 15, 2004 at 02:17:15AM -0700, Jeff Chan wrote:
> On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote:
> > ... Is it possible to detect where
> > bar
> > and foo and bar are unrelated domains?
>
> That could be a good idea for a rule. It would be nice if it
> could be dete
On Wed, 15 Sep 2004 09:38:30 +0100, Julian Field wrote:
> I have checked the archives, can't find anything directly related to this.
>
> In most phishing scams, the real address of a URL is unrelated to the link
> text that appears in the mail client. Is it possible to detect where
> bar
> and fo
On Wednesday, September 15, 2004, 1:38:30 AM, Julian Field wrote:
> I have checked the archives, can't find anything directly related to this.
> In most phishing scams, the real address of a URL is unrelated to the link
> text that appears in the mail client. Is it possible to detect where
> bar
I have checked the archives, can't find anything directly related to this.
In most phishing scams, the real address of a URL is unrelated to the link
text that appears in the mail client. Is it possible to detect where
bar
and foo and bar are unrelated domains?
Thanks folks.
--
Julian Field
13 matches
Mail list logo
