> On 03/21/2011 09:37 AM, Matus UHLAR - fantomas wrote: > >>> Does anyone successfully use plugin or at least rules that catch > >>> fake URLs? > > > I mean URLs pointing to different address than they appear, like: > > > > <a href="phishing.site/fake/webmail">http://webmail.example.com/</a>
On 21.03.11 13:36, Adam Katz wrote: > No plugin needed. __SPOOFED_URL, a rule already shipping with SA, does > this. Note that it FPs on a significant amount of marketing ham: > > http://ruleqa.spamassassin.org/20110321-r1083702-n/__SPOOFED_URL/detail > > MSECS SPAM% HAM% S/O RANK SCORE NAME > 0 2.8104 5.9645 0.320 0.44 (n/a) __SPOOFED_URL > > rawbody __SPOOFED_URL m/<a\s[^>]{0,99}\bhref=(?:3D)?.?(https?:[^>"' > ]{8,30})[^>]{0,99}>(?:[^<]{0,99}<(?!\/a)[^>]{1,99}>)*(?!\1)https?:\/\/[^<]{5}/i I know about the problem with "legal" mail and spoofed URL's. That's why I asked about plugin that would be able to accept whitelists. I don't see if it's possible to combine this with matching some domains while not matching others, e.g. allow <a href="http://example.com/";>http://example.net</a> while not allowing <a href="http://example.org/";>http://example.net</a> but I doubt this is possible with this kind of rules. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
