Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

antiphishing

 

 

First page Previous page 1 2 Next page Last page  View All SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


christian.grunfeld at gmail

Oct 12, 2011, 11:01 AM

Post #1 of 30 (1369 views)
Permalink
antiphishing

Hi,

I have an idea that I want to discuss with users and developers.

Many phishing mails exploit the bad knowledge of the difference
between real url and link anchor text by simple users. So they show
atractive link text that points to hiden, unrecognized and evil urls.
eg: exe files hiden by photo names, etc.

My idea is to have a rewrite engine in spamassassin that can rewrite
real url in place of the link anchor text or at least to write it near
the anchor text without removing it. In that way people can check if
both agree or if the url is known or unknown. It would be another step
before the "inevitable click" :p

The link functionality is not broken in any case (good or evil link)
so genuine links can be followed and evil links can be warned !

In sumary...replace text between <a> and </a> by the href or add the
href next to the text with an ascii arrow (-->) or something like
that.

Cheers !


maxsec at gmail

Oct 12, 2011, 11:18 AM

Post #2 of 30 (1370 views)
Permalink
Re: antiphishing [In reply to]

Like mailscanner does then :-)

On Wednesday, 12 October 2011, Christian Grunfeld <
christian.grunfeld [at] gmail> wrote:
> Hi,
>
> I have an idea that I want to discuss with users and developers.
>
> Many phishing mails exploit the bad knowledge of the difference
> between real url and link anchor text by simple users. So they show
> atractive link text that points to hiden, unrecognized and evil urls.
> eg: exe files hiden by photo names, etc.
>
> My idea is to have a rewrite engine in spamassassin that can rewrite
> real url in place of the link anchor text or at least to write it near
> the anchor text without removing it. In that way people can check if
> both agree or if the url is known or unknown. It would be another step
> before the "inevitable click" :p
>
> The link functionality is not broken in any case (good or evil link)
> so genuine links can be followed and evil links can be warned !
>
> In sumary...replace text between <a> and </a> by the href or add the
> href next to the text with an ascii arrow (-->) or something like
> that.
>
> Cheers !
>

--
--
Martin Hepworth
Oxford, UK


darxus at chaosreigns

Oct 12, 2011, 11:25 AM

Post #3 of 30 (1366 views)
Permalink
Re: antiphishing [In reply to]

On 10/12, Christian Grunfeld wrote:
> Many phishing mails exploit the bad knowledge of the difference
> between real url and link anchor text by simple users. So they show

Does spamassassin really not have a rule to detect this? I just dug
up a perfect example - trying to look like an email from youtube, with
something like
'<a href="http://phishingjunk.com">http://www.youtube.com/stuff</a>',
and it didn't hit any rule that seemed relevant to that bit of deception.

It certainly seems like it would be very useful. I see there's a
__SPOOFED_URL rule, but it's hard to read and doesn't have a description.

--
"I would believe only in a God that knows how to Dance." - Nietzsche
http://www.ChaosReigns.com


ned at unixmail

Oct 12, 2011, 11:32 AM

Post #4 of 30 (1362 views)
Permalink
Re: antiphishing [In reply to]

On 10/12/2011 07:01 PM, Christian Grunfeld wrote:
> Hi,
>
> I have an idea that I want to discuss with users and developers.
>
> Many phishing mails exploit the bad knowledge of the difference
> between real url and link anchor text by simple users. So they show
> atractive link text that points to hiden, unrecognized and evil urls.
> eg: exe files hiden by photo names, etc.
>
> My idea is to have a rewrite engine in spamassassin that can rewrite
> real url in place of the link anchor text or at least to write it near
> the anchor text without removing it. In that way people can check if
> both agree or if the url is known or unknown. It would be another step
> before the "inevitable click" :p
>
> The link functionality is not broken in any case (good or evil link)
> so genuine links can be followed and evil links can be warned !
>
> In sumary...replace text between<a> and</a> by the href or add the
> href next to the text with an ascii arrow (-->) or something like
> that.
>
> Cheers !
>

Rather than tampering with the original mail, surely the solution is to
clearly detect the mail as spam in the first place so it hopefully never
reaches the user.

History has taught me that if there's a link, someone *will* click on it
regardless of how obvious it might be to you or I that the link is
malicious.


christian.grunfeld at gmail

Oct 12, 2011, 11:39 AM

Post #5 of 30 (1366 views)
Permalink
Re: antiphishing [In reply to]

> It certainly seems like it would be very useful.  I see there's a
> __SPOOFED_URL rule, but it's hard to read and doesn't have a description.

where did you find that rule ?


christian.grunfeld at gmail

Oct 12, 2011, 11:47 AM

Post #6 of 30 (1364 views)
Permalink
Re: antiphishing [In reply to]

> Rather than tampering with the original mail, surely the solution is to
> clearly detect the mail as spam in the first place so it hopefully never
> reaches the user.

the point is that I dont think it would be a good idea to let SA give
a high score based on an "apparently" missmatch between text and url.

> History has taught me that if there's a link, someone *will* click on it
> regardless of how obvious it might be to you or I that the link is
> malicious.

I think the same as you! thats why I said "another" step before the
click......but that step may be usefull


darxus at chaosreigns

Oct 12, 2011, 11:48 AM

Post #7 of 30 (1361 views)
Permalink
Re: antiphishing [In reply to]

On 10/12, Christian Grunfeld wrote:
> > It certainly seems like it would be very useful.  I see there's a
> > __SPOOFED_URL rule, but it's hard to read and doesn't have a description.
>
> where did you find that rule ?

On my server in the file
/var/lib/spamassassin/3.004000/updates_spamassassin_org/72_active.cf

Looks like it comes from:
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/khopesh/20_khop_experimental.cf?view=markup
Which uses it as part of SPOOFED_URL (the "__" in the other rule is
important), which is described as:
"Has a link whose text is a different URL". But that one hasn't made it
into the default rule set yet. Ah, it hits 1.1% of spam but also 0.7% of
non-spam, shame:
http://ruleqa.spamassassin.org/?daterev=20111008-r1180336-n&rule=%2Fspoofed
(it got a T_ prepended to it due to being in testing)

Wonder what it's hitting in non-spam. And if it could be improved by just
checking for domain mismatch instead of complete url match, if it's not
doing that already.

--
"Of course there's strength in numbers. But there's strength in sharp
weaponry too. Ironically, this lead to what we call 'civilization'."
- spore
http://www.ChaosReigns.com


Bowie_Bailey at BUC

Oct 12, 2011, 11:49 AM

Post #8 of 30 (1369 views)
Permalink
Re: antiphishing [In reply to]

On 10/12/2011 2:25 PM, darxus [at] chaosreigns wrote:
> On 10/12, Christian Grunfeld wrote:
>> Many phishing mails exploit the bad knowledge of the difference
>> between real url and link anchor text by simple users. So they show
> Does spamassassin really not have a rule to detect this? I just dug
> up a perfect example - trying to look like an email from youtube, with
> something like
> '<a href="http://phishingjunk.com">http://www.youtube.com/stuff</a>',
> and it didn't hit any rule that seemed relevant to that bit of deception.
>
> It certainly seems like it would be very useful. I see there's a
> __SPOOFED_URL rule, but it's hard to read and doesn't have a description.

This is an issue that comes up on this list occasionally. It sounds
like a good idea at first, but when you start looking into it, you find
that there is WAY too much legitimate email that does this for the rule
to be useful.

--
Bowie


darxus at chaosreigns

Oct 12, 2011, 11:52 AM

Post #9 of 30 (1369 views)
Permalink
Re: antiphishing [In reply to]

On 10/12, Christian Grunfeld wrote:
> the point is that I dont think it would be a good idea to let SA give
> a high score based on an "apparently" missmatch between text and url.

SpamAssassin rule QA and optimized score generation infrastructure means
we can find out if it's useful before deploying it, and then calculate
a score for the rule that has the optimal impact on spam filtration
accuracy.

And according to the ruleqa results, you're right, it wouldn't be good to
give a high score on mismatched href and value. Now I want to know why,
and how it can be improved, because it seems likely to be useful.

--
"Where are you going and what do you wish?"
- The Old Moon, to Winkin' Blinkin' and Nod
http://www.ChaosReigns.com


christian.grunfeld at gmail

Oct 12, 2011, 11:55 AM

Post #10 of 30 (1366 views)
Permalink
Re: antiphishing [In reply to]

>> It certainly seems like it would be very useful.  I see there's a
>> __SPOOFED_URL rule, but it's hard to read and doesn't have a description.
>
> This is an issue that comes up on this list occasionally.  It sounds
> like a good idea at first, but when you start looking into it, you find
> that there is WAY too much legitimate email that does this for the rule
> to be useful.

But I didnt talk about a rule that adds a score ! I talk about writing
the real url in the body next the anchor text and let the user see if
both "agree" or not or if the url looks familiar to him.


KV at tollfreeforwarding

Oct 12, 2011, 11:57 AM

Post #11 of 30 (1364 views)
Permalink
RE: antiphishing [In reply to]

> -----Original Message-----
> From: Bowie Bailey [mailto:Bowie_Bailey [at] BUC]
>
> This is an issue that comes up on this list occasionally. It sounds like a good
> idea at first, but when you start looking into it, you find that there is WAY too
> much legitimate email that does this for the rule to be useful.

Yeah. There's an awful lot of newsletter, opt-in advertisement, and even transactional mail traffic that uses URL redirectors for click-tracking purposes, and far too often they'll put the destination URL (or a simplified form of it) in as the link text.

It's a horrible practice, IMO, since it essentially trains people to ignore what should be a major phishing indicator, but it's also very common.

--Kelson Vibber


noeldude at gmail

Oct 12, 2011, 12:02 PM

Post #12 of 30 (1369 views)
Permalink
Re: antiphishing [In reply to]

On 10/12/2011 1:57 PM, Kelson Vibber wrote:
> Yeah. There's an awful lot of newsletter, opt-in advertisement,
> and even transactional mail traffic that uses URL redirectors for
> click-tracking purposes, and far too often they'll put the
> destination URL (or a simplified form of it) in as the link text.

Yes. And banks, paypal, facebook, and other phishing targets are
frequent offenders of this. Modifying the link is not the answer
since some of these legit sites are finally starting to DKIM sign mail.


> It's a horrible practice, IMO, since it essentially trains people to ignore what should be a major phishing indicator, but it's also very common.

+1


-- Noel Jones


Bowie_Bailey at BUC

Oct 12, 2011, 12:46 PM

Post #13 of 30 (1367 views)
Permalink
Re: antiphishing [In reply to]

Please keep list traffic on the list.

On 10/12/2011 3:25 PM, Christian Grunfeld wrote:
> I see all genuine (non-spam) mails for subscriptions, checking and
> activating accounts showing the long and crapy url !
> And when the url is hidden and text is shown you have 99% phising chance.
> It is true that other good mails like paypal ones sends you a button
> and it would be bad idea to show the url inline.
>
>
> 2011/10/12 Bowie Bailey <Bowie_Bailey [at] buc>:
>>
>> Right. I wasn't referring to your idea, I was replying to someone else
>> who mentioned the __SPOOFED_URL rule.
>>
>> Writing in the real url is certainly an option and maybe not even a bad
>> idea in certain cases. However, just keep in mind that this will be
>> UGLY. In most cases (of non-spam) the real url is some sort of long,
>> obnoxious tracking url.
>>
>> Do you really want to stick something like this:
>>
>> http://engage.advancedpublishing.com/t?r=45&c=17003&l=1046&ctl=50580:22813295B3FE26F750565933A5FBF73C4E8B5F87901A15B8&
>>
>> in the middle of one of your bosses nicely formatted html email
>> newsletters? (Just a random link pulled out of an email
>> newsletter...and I've seen much worse)
>>
>> I think it's better to train people to pay attention to what they
>> click. The people who can't be trained to do this are the same people
>> who will click the link even if you show them the real url.


The example I gave was taken from a newsletter where the url was
hidden. Almost all email newsletters that I have seen do the same
thing. Currently, most of the spam I'm seeing does not attempt to hide
the url at all.

--
Bowie


jhardin at impsec

Oct 12, 2011, 1:18 PM

Post #14 of 30 (1367 views)
Permalink
Re: antiphishing [In reply to]

On Wed, 12 Oct 2011, Christian Grunfeld wrote:

>>> It certainly seems like it would be very useful.  I see there's a
>>> __SPOOFED_URL rule, but it's hard to read and doesn't have a description.
>>
>> This is an issue that comes up on this list occasionally.  It sounds
>> like a good idea at first, but when you start looking into it, you find
>> that there is WAY too much legitimate email that does this for the rule
>> to be useful.
>
> But I didnt talk about a rule that adds a score ! I talk about writing
> the real url in the body next the anchor text and let the user see if
> both "agree" or not or if the url looks familiar to him.

SA is a scoring filter, not a modifcation filter. Changing SA to rewrite
message bodies is, I think most if all will agree, beyond the scope of
what SA is intended to do, and beyond the scope of what it _should_ do.

Certainly SA should detect and score such obfuscation, if the FP rate can
be kept low. But controlling what the end user sees in the body of the
mail is properly the MUA's job.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim XXIX: The enemy of my enemy is my enemy's enemy. No more.
No less.
-----------------------------------------------------------------------
307 days since the first successful private orbital launch (SpaceX)


martin at gregorie

Oct 12, 2011, 2:15 PM

Post #15 of 30 (1367 views)
Permalink
Re: antiphishing [In reply to]

On Wed, 2011-10-12 at 15:46 -0400, Bowie Bailey wrote:

> Currently, most of the spam I'm seeing does not attempt to hide
> the url at all.
>
+1


christian.grunfeld at gmail

Oct 12, 2011, 2:53 PM

Post #16 of 30 (1363 views)
Permalink
Re: antiphishing [In reply to]

2011/10/12 Bowie Bailey <Bowie_Bailey [at] buc>:
> Please keep list traffic on the list.

sorry but you reply only to me first ! Check it!

> On 10/12/2011 3:25 PM, Christian Grunfeld wrote:
>> I see all genuine (non-spam) mails for subscriptions, checking and
>> activating accounts showing the long and crapy url !
>> And when the url is hidden and text is shown you have 99% phising chance.
>> It is true that other good mails like paypal ones sends you a button
>> and it would be bad idea to show the url inline.
>>
>>
>> 2011/10/12 Bowie Bailey <Bowie_Bailey [at] buc>:
>>>
>>> Right.  I wasn't referring to your idea, I was replying to someone else
>>> who mentioned the __SPOOFED_URL rule.
>>>
>>> Writing in the real url is certainly an option and maybe not even a bad
>>> idea in certain cases.  However, just keep in mind that this will be
>>> UGLY.  In most cases (of non-spam) the real url is some sort of long,
>>> obnoxious tracking url.
>>>
>>> Do you really want to stick something like this:
>>>
>>> http://engage.advancedpublishing.com/t?r=45&c=17003&l=1046&ctl=50580:22813295B3FE26F750565933A5FBF73C4E8B5F87901A15B8&
>>>
>>> in the middle of one of your bosses nicely formatted html email
>>> newsletters?  (Just a random link pulled out of an email
>>> newsletter...and I've seen much worse)
>>>
>>> I think it's better to train people to pay attention to what they
>>> click.  The people who can't be trained to do this are the same people
>>> who will click the link even if you show them the real url.
>
>
> The example I gave was taken from a newsletter where the url was
> hidden.  Almost all email newsletters that I have seen do the same
> thing.  Currently, most of the spam I'm seeing does not attempt to hide
> the url at all.

certainly why are seeing different spam !


christian.grunfeld at gmail

Oct 12, 2011, 2:59 PM

Post #17 of 30 (1374 views)
Permalink
Re: antiphishing [In reply to]

> SA is a scoring filter, not a modifcation filter. Changing SA to rewrite
> message bodies is, I think most if all will agree, beyond the scope of what
> SA is intended to do, and beyond the scope of what it _should_ do.

it does modify headers, subjects....why not bodies ?

> Certainly SA should detect and score such obfuscation, if the FP rate can be
> kept low. But controlling what the end user sees in the body of the mail is
> properly the MUA's job.

No, MUAs interprets and shows html like browsers does and does not
modify it. Detect such obfuscation can be as diffucult as to try SA to
decode a capcha ! Humans can do better that task !


dbfunk at engineering

Oct 12, 2011, 4:36 PM

Post #18 of 30 (1350 views)
Permalink
Re: antiphishing [In reply to]

On Wed, 12 Oct 2011, Christian Grunfeld wrote:

> > SA is a scoring filter, not a modifcation filter. Changing SA to rewrite
> > message bodies is, I think most if all will agree, beyond the scope of what
> > SA is intended to do, and beyond the scope of what it _should_ do.
>
> it does modify headers, subjects....why not bodies ?

Modifying headers -might- mess up DKIM, gpg, etc sigs (depending upon
how they were done). Modifying bodies -will- mess up sigs.

Mucking up a header might render it useless but will leave the message
mostly readable, messing up the body may well render the message
useless.


> > Certainly SA should detect and score such obfuscation, if the FP rate can be
> > kept low. But controlling what the end user sees in the body of the mail is
> > properly the MUA's job.
>
> No, MUAs interprets and shows html like browsers does and does not
> modify it. Detect such obfuscation can be as diffucult as to try SA to
> decode a capcha ! Humans can do better that task !

Umm, you've never seen Thunderbird warnings such as:

"To protect your privacy Thunderbird has blocked remote content in this message"



--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{


dbfunk at engineering

Oct 12, 2011, 4:42 PM

Post #19 of 30 (1345 views)
Permalink
Re: antiphishing [In reply to]

On Wed, 12 Oct 2011, Bowie Bailey wrote:

> The example I gave was taken from a newsletter where the url was
> hidden. Almost all email newsletters that I have seen do the same
> thing. Currently, most of the spam I'm seeing does not attempt to hide
> the url at all.

Not too many spam do that but almost all phish that I've seen do.

The point being that the number of legitimate messages that obfuscate
the URL renders this potential antiphish technique too FP prone to
be trustworthy. (sigh).

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{


antispam at khopis

Oct 12, 2011, 6:03 PM

Post #20 of 30 (1348 views)
Permalink
Re: antiphishing [In reply to]

On 10/12/2011 11:48 AM, darxus [at] chaosreigns wrote:
> Which uses it as part of SPOOFED_URL (the "__" in the other rule is
> important), which is described as:
> "Has a link whose text is a different URL". But that one hasn't made it
> into the default rule set yet. Ah, it hits 1.1% of spam but also 0.7% of
> non-spam, shame:
> http://ruleqa.spamassassin.org/?daterev=20111008-r1180336-n&rule=%2Fspoofed
> (it got a T_ prepended to it due to being in testing)
>
> Wonder what it's hitting in non-spam. And if it could be improved by just
> checking for domain mismatch instead of complete url match, if it's not
> doing that already.

As noted in the comment right next to the rule, most of those hits are
marketing trackers. Another abutting comment notes that LeadLander has
a truncation habit that used to cause it to mis-fire. There are also
abbreviations, parsing errors (not necessarily from SA), and probably
also link shorteners and gags.

I was a little out of sync with subversion. This is now fixed.

While the new version is a bit better, it's still nowhere near good
enough to become a stand-alone rule, even with all the help I tried to
give it.
Attachments: signature.asc (0.26 KB)


christian.grunfeld at gmail

Oct 12, 2011, 6:05 PM

Post #21 of 30 (1344 views)
Permalink
Re: antiphishing [In reply to]

> Modifying headers -might- mess up DKIM, gpg, etc sigs (depending upon
> how they were done). Modifying bodies -will- mess up sigs.

I was not specifically talking about dkim signed mails. It is clear
that body rewriting mess up sigs. It is also clear that phishers dont
use dkim ! and if they do you have the certainty that the originating
domain has nothing to do with what the content claims to be !...unless
the phishing comes from the same domain ! (really bizarre) ! :D


Jason_Haar at trimble

Oct 12, 2011, 6:19 PM

Post #22 of 30 (1348 views)
Permalink
Re: antiphishing [In reply to]

On 13/10/11 14:05, Christian Grunfeld wrote:
>
> I was not specifically talking about dkim signed mails. It is clear
> that body rewriting mess up sigs. It is also clear that phishers dont
> use dkim !
>

Large numbers of spammers use DKIM. We've been under attack for weeks
now by some outfit who is buying up old, "clean" IP subnets and using it
to spew their non-pharma, really "clean looking" spam onto us - no
RBL/SURBL hits for 3-5 *days*, getting scores from 0.5-3.0 - really
tough - nothing to write content rules for.

All of it DKIM signed and SPF'ed. I ended up building my own RBL just
so we could catch it :-(

> and if they do you have the certainty that the originating
> domain has nothing to do with what the content claims to be !...unless
> the phishing comes from the same domain ! (really bizarre) ! :D
>

Well, that's the case for the above-mentioned spam too. All the spam has
links to websites that are part of the same domain as the email -
running on webservers in the same subnets. :-(

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


christian.grunfeld at gmail

Oct 12, 2011, 7:13 PM

Post #23 of 30 (1343 views)
Permalink
Re: antiphishing [In reply to]

> Large numbers of spammers use DKIM. We've been under attack for weeks
> now by some outfit who is buying up old, "clean" IP subnets and using it
> to spew their non-pharma, really "clean looking" spam onto us - no
> RBL/SURBL hits for 3-5 *days*, getting scores from 0.5-3.0 - really
> tough - nothing to write content rules for.
>
> All of it DKIM signed and SPF'ed. I ended up building my own RBL just
> so we could catch it :-(
>
> Well, that's the case for the above-mentioned spam too. All the spam has
> links to websites that are part of the same domain as the email -
> running on webservers in the same subnets. :-(

really a pathological scenario !
yes...for particular case you end up writing rules....but I think your
case is not the general one


jhardin at impsec

Oct 12, 2011, 7:44 PM

Post #24 of 30 (1344 views)
Permalink
Re: antiphishing [In reply to]

On Wed, 12 Oct 2011, David B Funk wrote:

> On Wed, 12 Oct 2011, Bowie Bailey wrote:
>
>> The example I gave was taken from a newsletter where the url was
>> hidden. Almost all email newsletters that I have seen do the same
>> thing. Currently, most of the spam I'm seeing does not attempt to hide
>> the url at all.
>
> Not too many spam do that but almost all phish that I've seen do.
>
> The point being that the number of legitimate messages that obfuscate
> the URL renders this potential antiphish technique too FP prone to
> be trustworthy. (sigh).

Possibly as one factor in a set of phishy signs...

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Vista: because the audio experience is *far* more important than
network throughput.
-----------------------------------------------------------------------
307 days since the first successful private orbital launch (SpaceX)


jhardin at impsec

Oct 12, 2011, 7:55 PM

Post #25 of 30 (1347 views)
Permalink
Re: antiphishing [In reply to]

On Wed, 12 Oct 2011, Christian Grunfeld wrote:

>> Certainly SA should detect and score such obfuscation, if the FP rate
>> can be kept low. But controlling what the end user sees in the body of
>> the mail is properly the MUA's job.
>
> No, MUAs interprets and shows html like browsers does and does not
> modify it. Detect such obfuscation can be as diffucult as to try SA to
> decode a capcha ! Humans can do better that task !

My MUA does exactly that. If the link text differs from the link URI it
displays the hostname/IP part of the URI next to the link text. If it
detects what looks like obfuscation (i.e. the link text points at one
domain and the link itself points at a different domain) it displays a
warning that the links in the message are suspicious.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Vista: because the audio experience is *far* more important than
network throughput.
-----------------------------------------------------------------------
307 days since the first successful private orbital launch (SpaceX)

First page Previous page 1 2 Next page Last page  View All SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.