[reordering mail slightly] On Aug 26, 2006, at 3:07 PM, [EMAIL PROTECTED] wrote:
I have suggested something like this a few times. and used to hear concerns about valid links not necessarily the same. These can be put into two groups: one would have links to a "related" server, like cgi.bigcompany.com
I do some normalization on domain names, but it's pretty limited. That said, it could be extended (e.g. right now it drops a leading www., but it could also drop cgi., etc.). This won't completely take care of the problem, but it might improve it somewhat.
For the first case I would like to suggest: if the names do not match, chech if the IPs are in the same /24
I'm not sure how effective this would be - I've seen a number of cases of servers being across wildly disparate subnets. Does anyone have a sense of the real-world distribution?
The other one is totally unrelated, say a marketing company has set up a redirector to count how often each link is visited.
Well, for the other one ..... I would not want to read these mails even if they are not phish
Agreed -- there are attacks that rely on similar redirection mechanisms and there's a certain level of "if you insist on acting like a scammer I'm going to treat you like one".
An additional comment about phish: I get a lot of stuff that does not even make it to SA scanning because I do not appear as a recipient. One can probably safely assume that paypal, or any bank, would not send a verification message to 100 recipients at once with a bcc list .... could serve as a meta rule to triple the score for phish
I'll have to play with that. -faisal
