On Sat, 2009-07-25 at 15:59 +0100, Mike Cardwell wrote: > Just checking through my Spam folder and I came across a message that > contained this in the html:
Hey, it was classified spam. ;) And it's a phish anyway... > <a target="_blank" href="http://www.example.net";>https://www.example.com</a> > How would you create a rule which matched when the anchor text is a url > which uses a different domain to the anchor href? I'm with mouss and Matt, that is FP prone. *Might* make a somewhat decent meta, with carefully picked rules, though. Anyway, there's something better than the domain mis-match. It's a protocol mis-match, pretending false security. For either one, URIDetail [1] would be the way to go. Specifically, have a look at its FAKE_HTTPS example. ;) guenther [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
