On 03/21/2011 09:37 AM, Matus UHLAR - fantomas wrote: >>> Does anyone successfully use plugin or at least rules that catch >>> fake URLs?
> I mean URLs pointing to different address than they appear, like: > > <a href="phishing.site/fake/webmail">http://webmail.example.com/</a> No plugin needed. __SPOOFED_URL, a rule already shipping with SA, does this. Note that it FPs on a significant amount of marketing ham: http://ruleqa.spamassassin.org/20110321-r1083702-n/__SPOOFED_URL/detail MSECS SPAM% HAM% S/O RANK SCORE NAME 0 2.8104 5.9645 0.320 0.44 (n/a) __SPOOFED_URL rawbody __SPOOFED_URL m/<a\s[^>]{0,99}\bhref=(?:3D)?.?(https?:[^>"' ]{8,30})[^>]{0,99}>(?:[^<]{0,99}<(?!\/a)[^>]{1,99}>)*(?!\1)https?:\/\/[^<]{5}/i
signature.asc
Description: OpenPGP digital signature
