[Spambayes] Re: Anti Phishing suggestion
Mathew Hendry
TJLWBECGSGWU at spammotel.com
Wed Jan 5 23:48:43 CET 2005
On Wed, 5 Jan 2005 14:01:49 -0800, "Frank Heile" <fheile at pacbell.net> wrote:
>for any suspicious email, I just put my cursor over
>the link (without clicking) and it usually shows an address like:
>
>http://123.456.234.567/something...
>
>Whereas the text displayed for the link is something like:
>
>http://www.paypal.com/login.php
>
>So at that point it OBVIOUS (to me) that this is a fake phishing email since
>paypal.com would NOT have used a numeric URL address in this way. Doesn't
>everybody check suspicious hyper links like this before they click on the
>link?
Unfortunately, not all mail clients are kind enough to show the true URL
when you hover over links. I'm pretty sure even the mighty Outlook didn't do
that until Outlook 2003.
I train all phishing mails as spam and, as a result, both they and my
legitimate bank/paypal/ebay mails often appear as unsures. I manually check
all of them, but never click on the links they contain. You're best to open
your browser and type in the relevant address manually, as recommended by
http://antiphishing.org.
All money sites that I use keep track of everything on the site itself - the
mails they send are only notifications. (There are exceptions, e.g. if you
forget your password. But you'll know when you've done that and expect a
very specific mail about it).
>Now, since I do this by hand, why can't SpamBayes do something like this
>automatically? For example, SpamBayes should be able to easily parse the
>real URL and the displayed text for a link in an email message. If the text
>displayed looks like a URL address, it could do a DNS lookup on the address
>like "www.paypal.com" and see that it does not match real URL
>"123.456.234.567" and automatically mark the message as SPAM/Phish?
As far as I know, SpamBayes never marks a mail as spam on the basis of a
single characteristic. "Hair trigger" rules like that are a risky business:
consider legitimate mails from spam-related mailing lists, that often
contain copies of spam messages. Instead, you might add a
"suspicious_url:paypal" token so it would be considered along with all the
others.
-- Mat.
More information about the Spambayes
mailing list