On Sat, Oct 15, 2011 at 12:38 AM, wrote:
And I need to remind you that it hits almost as much ham as spam:
http://ruleqa.spamassassin.org/20111008-r1180336-n/T_SPOOFED_URL/detail
I agree it seems like we should be able to improve it. Maybe make
exceptions for known marketing trackers, as Adam
On Sat, Oct 15, 2011 at 12:38 AM, wrote:
> And I need to remind you that it hits almost as much ham as spam:
> http://ruleqa.spamassassin.org/20111008-r1180336-n/T_SPOOFED_URL/detail
>
> I agree it seems like we should be able to improve it. Maybe make
> exceptions for known marketing trackers, a
On 10/18, Matus UHLAR - fantomas wrote:
> Very nice, however due to these and other circumstances mentioned I
> think that a plugin would be better, since it could define where to
Thanks. It didn't work out, the results were worse than the older rule:
http://ruleqa.spamassassin.org/?daterev=2011
On 14.10.11 18:07, dar...@chaosreigns.com wrote:
Existing rule:
rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\#
:\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
How about this, to only check for a change
Not relevant to the subject. We're talking about where somebody is
maliciously making you think you're clicking on "www.youtube.com" when in
fact you're clicking on "www.ILikeSpam.com".
Somebody linking to one domain with an image hosted on another domain has
plenty of possibility to be legit.
Y
you should be able to check against img src content, right?
2011/10/14 Christian Grunfeld :
> and what about when there is no anchor text in the link ? eg. paypal
> image button
>
>
> 2011/10/14 :
>> Existing rule:
>>
>> rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\#
>> ]{8,
None of these rules will hit that. That's what the second "http" is for.
"Hit the host name part of the href value of an anchor tag, then do *not*
match the same host name in the value part of the anchor, then hit 'href'".
I should've called it SPOOFED_URL_HOST, because this one is matching the
f
and what about when there is no anchor text in the link ? eg. paypal
image button
2011/10/14 :
> Existing rule:
>
> rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\#
> ]{8,29}[^>"'\#
> :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1
Existing rule:
rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\#
]{8,29}[^>"'\#
:\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
How about this, to only check for a changed domain part instead?
rawbody SPOOFED_URL_DOMAIN
On 10/14, dar...@chaosreigns.com wrote:
> rawbody __SPOOFED_URL
> m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\#
> :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
> I agree it seems like we should be able to improve it.
On 10/14, Matus UHLAR - fantomas wrote:
> While I have no doubt there is much of wanted mail with URL and text
> mismatch, I still would like to have such rule.
It exists, you're welcome to copy it out of the rules sandbox and use it,
false positives and all. I already linked to it:
http://svn.ap
On 10/12, Christian Grunfeld wrote:
Many phishing mails exploit the bad knowledge of the difference
between real url and link anchor text by simple users. So they show
On 10/12/2011 2:25 PM, dar...@chaosreigns.com wrote:
Does spamassassin really not have a rule to detect this? I just dug
up
On Wed, 12 Oct 2011, Christian Grunfeld wrote:
> > Modifying headers -might- mess up DKIM, gpg, etc sigs (depending upon
> > how they were done). Modifying bodies -will- mess up sigs.
>
> I was not specifically talking about dkim signed mails. It is clear
> that body rewriting mess up sigs. It is
On Wed, 12 Oct 2011, Christian Grunfeld wrote:
Certainly SA should detect and score such obfuscation, if the FP rate
can be kept low. But controlling what the end user sees in the body of
the mail is properly the MUA's job.
No, MUAs interprets and shows html like browsers does and does not
mo
On Wed, 12 Oct 2011, David B Funk wrote:
On Wed, 12 Oct 2011, Bowie Bailey wrote:
The example I gave was taken from a newsletter where the url was
hidden. Almost all email newsletters that I have seen do the same
thing. Currently, most of the spam I'm seeing does not attempt to hide
the url
> Large numbers of spammers use DKIM. We've been under attack for weeks
> now by some outfit who is buying up old, "clean" IP subnets and using it
> to spew their non-pharma, really "clean looking" spam onto us - no
> RBL/SURBL hits for 3-5 *days*, getting scores from 0.5-3.0 - really
> tough - not
On 13/10/11 14:05, Christian Grunfeld wrote:
>
> I was not specifically talking about dkim signed mails. It is clear
> that body rewriting mess up sigs. It is also clear that phishers dont
> use dkim !
>
Large numbers of spammers use DKIM. We've been under attack for weeks
now by some outfit who i
> Modifying headers -might- mess up DKIM, gpg, etc sigs (depending upon
> how they were done). Modifying bodies -will- mess up sigs.
I was not specifically talking about dkim signed mails. It is clear
that body rewriting mess up sigs. It is also clear that phishers dont
use dkim ! and if they do y
On 10/12/2011 11:48 AM, dar...@chaosreigns.com wrote:
> Which uses it as part of SPOOFED_URL (the "__" in the other rule is
> important), which is described as:
> "Has a link whose text is a different URL". But that one hasn't made it
> into the default rule set yet. Ah, it hits 1.1% of spam but
On Wed, 12 Oct 2011, Bowie Bailey wrote:
> The example I gave was taken from a newsletter where the url was
> hidden. Almost all email newsletters that I have seen do the same
> thing. Currently, most of the spam I'm seeing does not attempt to hide
> the url at all.
Not too many spam do that bu
On Wed, 12 Oct 2011, Christian Grunfeld wrote:
> > SA is a scoring filter, not a modifcation filter. Changing SA to rewrite
> > message bodies is, I think most if all will agree, beyond the scope of what
> > SA is intended to do, and beyond the scope of what it _should_ do.
>
> it does modify head
> SA is a scoring filter, not a modifcation filter. Changing SA to rewrite
> message bodies is, I think most if all will agree, beyond the scope of what
> SA is intended to do, and beyond the scope of what it _should_ do.
it does modify headers, subjectswhy not bodies ?
> Certainly SA should
2011/10/12 Bowie Bailey :
> Please keep list traffic on the list.
sorry but you reply only to me first ! Check it!
> On 10/12/2011 3:25 PM, Christian Grunfeld wrote:
>> I see all genuine (non-spam) mails for subscriptions, checking and
>> activating accounts showing the long and crapy url !
>> An
On Wed, 2011-10-12 at 15:46 -0400, Bowie Bailey wrote:
> Currently, most of the spam I'm seeing does not attempt to hide
> the url at all.
>
+1
On Wed, 12 Oct 2011, Christian Grunfeld wrote:
It certainly seems like it would be very useful. I see there's a
__SPOOFED_URL rule, but it's hard to read and doesn't have a description.
This is an issue that comes up on this list occasionally. It sounds
like a good idea at first, but when yo
Please keep list traffic on the list.
On 10/12/2011 3:25 PM, Christian Grunfeld wrote:
> I see all genuine (non-spam) mails for subscriptions, checking and
> activating accounts showing the long and crapy url !
> And when the url is hidden and text is shown you have 99% phising chance.
> It is tru
On 10/12/2011 1:57 PM, Kelson Vibber wrote:
> Yeah. There's an awful lot of newsletter, opt-in advertisement,
> and even transactional mail traffic that uses URL redirectors for
> click-tracking purposes, and far too often they'll put the
> destination URL (or a simplified form of it) in as the lin
> -Original Message-
> From: Bowie Bailey [mailto:bowie_bai...@buc.com]
>
> This is an issue that comes up on this list occasionally. It sounds like a
> good
> idea at first, but when you start looking into it, you find that there is WAY
> too
> much legitimate email that does this for t
>> It certainly seems like it would be very useful. I see there's a
>> __SPOOFED_URL rule, but it's hard to read and doesn't have a description.
>
> This is an issue that comes up on this list occasionally. It sounds
> like a good idea at first, but when you start looking into it, you find
> that
On 10/12, Christian Grunfeld wrote:
> the point is that I dont think it would be a good idea to let SA give
> a high score based on an "apparently" missmatch between text and url.
SpamAssassin rule QA and optimized score generation infrastructure means
we can find out if it's useful before deployi
On 10/12/2011 2:25 PM, dar...@chaosreigns.com wrote:
> On 10/12, Christian Grunfeld wrote:
>> Many phishing mails exploit the bad knowledge of the difference
>> between real url and link anchor text by simple users. So they show
> Does spamassassin really not have a rule to detect this? I just dug
On 10/12, Christian Grunfeld wrote:
> > It certainly seems like it would be very useful. I see there's a
> > __SPOOFED_URL rule, but it's hard to read and doesn't have a description.
>
> where did you find that rule ?
On my server in the file
/var/lib/spamassassin/3.004000/updates_spamassassin_o
> Rather than tampering with the original mail, surely the solution is to
> clearly detect the mail as spam in the first place so it hopefully never
> reaches the user.
the point is that I dont think it would be a good idea to let SA give
a high score based on an "apparently" missmatch between tex
> It certainly seems like it would be very useful. I see there's a
> __SPOOFED_URL rule, but it's hard to read and doesn't have a description.
where did you find that rule ?
On 10/12/2011 07:01 PM, Christian Grunfeld wrote:
Hi,
I have an idea that I want to discuss with users and developers.
Many phishing mails exploit the bad knowledge of the difference
between real url and link anchor text by simple users. So they show
atractive link text that points to hiden, un
On 10/12, Christian Grunfeld wrote:
> Many phishing mails exploit the bad knowledge of the difference
> between real url and link anchor text by simple users. So they show
Does spamassassin really not have a rule to detect this? I just dug
up a perfect example - trying to look like an email from
Like mailscanner does then :-)
On Wednesday, 12 October 2011, Christian Grunfeld <
christian.grunf...@gmail.com> wrote:
> Hi,
>
> I have an idea that I want to discuss with users and developers.
>
> Many phishing mails exploit the bad knowledge of the difference
> between real url and link anchor
37 matches
Mail list logo
