> > In most phishing scams, the real address of a URL is unrelated to the
link
> > text that appears in the mail client. Is it possible to detect where
> > <A HREF="foo">bar</A>
> > and foo and bar are unrelated domains?
> >
> I guess the question boils down to "can backreferences be used in
> regexes for SA rules"? If so, the combined wisdom of the list ought to
> be able to come up with a suitable rule...
And the answer is... Grab the SARE phishing rules. Although I don't think
any of them use backreferences for catching that sort of thing.
Loren
