Kelson wrote:
[EMAIL PROTECTED] wrote:
<A HREF="http://hacker.com";>http://legit-bank.com</a>
On top of my mind, I never saw a situation like this in real life,
except in phish emails.
I see this all the time in promotional emails (spam, not phish) to track
> clickthrough.
I see it on legit mail too, including a couple of newsletters and, in
one case, an "item not won" notice from eBay. Yes, it was legit.
This has caused a number of legit messages to trip Thunderbird's new
phishing filter.
It's a poor practice, and in the case of eBay they seem to do the
right thing on their other notices (either matching the URL to the
text or using descriptive link text instead of a hostname), but sad to
say there *is* legit mail that uses redirectors in this fashion.
So it's worth scoring, but not safe to score too highly or use as
rejection criteria unless you whitelist the legit senders (or convince
them to change their ways).
My point is that I want to make this check an "integrity check". If you
choose to display a URL, then it must match the real URL, nothing else.
Too bad if it is classified as a false-positive. The benefits in
helping stop "phishers" are way larger than the advantage of displaying
a different URL than the advertised one.
Also, I will feel better if a email is classified as a false-positive if
it has hits on this rule than any other rule, because I can say that the
sender is in part related to classification error.
--
Richard Leroy
[EMAIL PROTECTED]
