[Spambayes] Re: Anti Phishing suggestion

Mathew Hendry TJLWBECGSGWU at spammotel.com
Wed Jan 5 23:48:43 CET 2005

On Wed, 5 Jan 2005 14:01:49 -0800, "Frank Heile" <fheile at pacbell.net> wrote:

>for any suspicious email, I just put my cursor over
>the link (without clicking) and it usually shows an address like:
>Whereas the text displayed for the link is something like:
>So at that point it OBVIOUS (to me) that this is a fake phishing email since
>paypal.com would NOT have used a numeric URL address in this way. Doesn't
>everybody check suspicious hyper links like this before they click on the

Unfortunately, not all mail clients are kind enough to show the true URL
when you hover over links. I'm pretty sure even the mighty Outlook didn't do
that until Outlook 2003.

I train all phishing mails as spam and, as a result, both they and my
legitimate bank/paypal/ebay mails often appear as unsures. I manually check
all of them, but never click on the links they contain. You're best to open
your browser and type in the relevant address manually, as recommended by

All money sites that I use keep track of everything on the site itself - the
mails they send are only notifications. (There are exceptions, e.g. if you
forget your password. But you'll know when you've done that and expect a
very specific mail about it).

>Now, since I do this by hand, why can't SpamBayes do something like this
>automatically?  For example, SpamBayes should be able to easily parse the
>real URL and the displayed text for a link in an email message.  If the text
>displayed looks like a URL address, it could do a DNS lookup on the address
>like "www.paypal.com" and see that it does not match real URL
>"123.456.234.567" and automatically mark the message as SPAM/Phish?

As far as I know, SpamBayes never marks a mail as spam on the basis of a
single characteristic. "Hair trigger" rules like that are a risky business:
consider legitimate mails from spam-related mailing lists, that often
contain copies of spam messages. Instead, you might add a
"suspicious_url:paypal" token so it would be considered along with all the

-- Mat.

More information about the Spambayes mailing list