[Spambayes] Anti Phishing suggestion

Katz, Amir Amir_Katz at bmc.com
Wed Jan 5 23:19:20 CET 2005

It's an excellent idea, but I think that it's beyond the scope of SpamBayes
per se. SB does not make any check of the data in the message, nor to the
validity, truthfulness or legality of any claims therein.

I think that the right solution would be another tool that will work like SB
(an Outlook plug-in) which will add a button, "Check Phishiness" and will do
what you suggest, displaying a phishiness score and would let the user
decide what to do ("Delete as phish" or "do nothing").

On the proxy solution, maybe the same code will be hosted by the proxy, but
will be invoked before or after SB filter, and will add its own annotation
to the mail with 'Phish alert', so POP3/IMPA users will just need to add
another filter rule for those.

Just my $0.02 (not being a developer of SB, just a devoted user & spreading
the SB gospel)


-----Original Message-----
From: Frank Heile [mailto:fheile at pacbell.net] 
Sent: Thursday, January 06, 2005 00:02
To: spambayes at python.org
Subject: [Spambayes] Anti Phishing suggestion

SpamBayes is GREAT!  I have told everyone I talk with that they should use
it to fight SPAM.  However, one thing SpamBayes does not protect against is
phishing emails.  Here is what I do manually - could some developer please
implement something like this in code for SpamBayes (or tell me why it won't

Whenever I get an email that is asking me to confirm or correct my personal
information at some Web site I get suspicious automatically.  Now in
Outlook, when the cursor is over a hyperlink inside a message, it will
display a popup showing the REAL URL that a click will take you to.  The
colored and underlined displayed text in the email message may be different
than this real URL.  So for any suspicious email, I just put my cursor over
the link (without clicking) and it usually shows an address like:


Whereas the text displayed for the link is something like:


So at that point it OBVIOUS (to me) that this is a fake phishing email since
paypal.com would NOT have used a numeric URL address in this way. Doesn't
everybody check suspicious hyper links like this before they click on the

Now, since I do this by hand, why can't SpamBayes do something like this
automatically?  For example, SpamBayes should be able to easily parse the
real URL and the displayed text for a link in an email message.  If the text
displayed looks like a URL address, it could do a DNS lookup on the address
like "www.paypal.com" and see that it does not match real URL
"123.456.234.567" and automatically mark the message as SPAM/Phish?

As a matter of fact, the DNS lookup is probably unneeded, since the fact
that a real looking label is used for a numeric address is pretty obviously
a phishing email.  In fact ANY numeric URL address is probably up to no good
and I would be happy if they are deleted as spam. 

Is there some flaw in my arguments?  Will the phishers soon overcome these
techniques (probably somehow, but I can't think of how).  Just Curious...

Spambayes at python.org
Check the FAQ before asking: http://spambayes.sf.net/faq.html

More information about the Spambayes mailing list