> > > <A HREF="http://hacker.com";>http://legit-bank.com</a> > > > > > > On top of my mind, I never saw a situation like this in real > > > life, except in phish emails. > > > to be precise, the rule should only trigger if the text between the <a > href=> and </a> parts of the url has a hostname at all, so that an > url like <a href="http://www.spamassassin.org";>click here to ged rid > of it</a> doesnt trigger it.
I've written a number of rules to check for this, so have others. Yes, it will catch some of the phish. Unfortunately it also catches just an amazing amount of legit mail. I think the last statistics were something like 50/50, or maybe even heavier on the ham side. It just doesn't seem to occur to anyone writing html that there should be an actual relationship between the real url and the displayed url. Even checking for <a href="http://dotquad";>https://mybank.com</a> will get hits on an amazing quantity of ham. Loren
