I filed a bug for this issue on Bugzilla (#8186) but so far no response from
developers.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8186
We're seeing literally millions of phishing spams from Tencent VMs in
Singapore targeting mostly Amazon Japan that are getting around SA checks
because of this issue.
I am wondering how many other users are seeing this problem which allows
spammers to circumvent URI checks in links in spam (i.e. hide the payload
sites).
They do it by prefixing the href= attribute in an HTML <a href="..."> tag
with letters and a slash, for example:
<a h/href="https://some.phishing.site:>https://amazon.co.jp</a>
Both Chrome and mail clients like Mozilla Thunderbird discard that "h/"
prefix (perhaps treating it as a separate unrecognizable attribute, like "<a
h href="...") and display a clickable link to the payload site while
SpamAssassin will not see the URI and therefore not it through any of the
rules for URIs.
This means even if the bad site is listed on domain RBLs (SURBL, Spamhaus or
URIBL), the mail is not tagged for that.
Joe Wein
SURBL
