Has any thought been given to creating a rule that looks for "forged"
links? Here's one I got today in a phishing scam:
<A
href="http://www.createtokill-clan.de/onlineshop/catalog/images/admin/chase.com/index.htm";>
<FONT face="Times New Roman" color=#0000ff style="font-size: 13pt">
http://www.chase.com/verification.asp</FONT></A>
So how hard would it be to create a rule that triggers if the href
(http://www.createtokill-clan.de...) doesn't match the url that is
displayed (http://www.chase.com...) or at least contain the same
domain? I realize this is mostly done with phishing scams but it's not
unheard of for spammers to use this technique too. I've not seen a SA
rule that triggers on this specifically. Any thoughts?
Jay
begin:vcard
fn:Jay Lee
n:Lee;Jay
org:Philadelphia Biblical University;Information Technology Department
email;internet:[EMAIL PROTECTED]
title:Network / Systems Administrator
version:2.1
end:vcard
