On Mon, 2004-12-06 at 18:29, Robert Menschel wrote: > Hello Wolfgang, > > Monday, December 6, 2004, 7:39:09 AM, you wrote: > > LW>> That's because such a rule won't work. All manner of real mail ends up > LW>> sending things that have a real link address different from the one > shown in > LW>> the link. Often it is a very minor difference, like https vs http, but > LW>> sometimes there are no points of reality at all between them. This shows > up > LW>> a lot in stuff generated from databases. > > WH> if there is a visible url to a different server than the one in > WH> real url, I would not only want to tag that as possible spam, but > WH> rather have a nice red 20pt headline added to the mail: WARNING - > WH> DO NOT CLICK - THESE LINKS MIGHT BE FORGED > > As the current ninja maintaining the SARE URI rules file (though not > the fraud or spoof files), I gladly invite you to develop such a rule. > If you can offer us a rule that does what you want, and in our testing > does not hit excessively on non-spam, we'll gladly include it in our > SARE rules file, and will support your submission of that rule to the > SA developers. > > At this point in time, I can't think of a good (efficient) way to do > this that wouldn't also hit huge numbers of non-spam. > > Bob Menschel
Just a note of information, for those looking to stop phishing attacks: the open source anti-virus program ClamAV has added signatures for several phishing emails. When this is used, they will be blocked before they ever hit SpamAssassin. Obviously, these are tailored for each specific message, so it's not a generic solution, but it can help. Currently, there are signatures for 18 different banking phish and two auction phish. http://www.clamav.net/ -Bill
