Finally, a phish that makes sense to me

re: Finally, a phish that makes sense to me

mbghtri — Tue, 23 Jun 2009 01:22:48 GMT

Barry Leiba,

I don't think you can use your test as 100% evidence of spam. I have seen a few legitimate emails where the displayed URL was a shorter version of the link. As a made-up example. an email from a bank may display www.thisbank.com/login, the real link behind it may be www.thisbank.com/login.asp?id=1234567.

Not a good idea to send emails like this in my opinion, but not uncommon. Perhaps if you checked just the domain from the displayed text and compared to the real domain (ignoring everything except the actual domain name), you could create your 100% spam rule.

re: Finally, a phish that makes sense to me

Ron Parker — Mon, 22 Jun 2009 15:27:30 GMT

The site looks convincing, yes, but the email still reads like it was written by someone who doesn't speak English natively. I'll start being really scared of them when they get someone who understands verb tenses to proofread their spam.

URLs and links in phishing messages

Barry Leiba — Sat, 20 Jun 2009 03:29:10 GMT

This is a good example of something I don't know why we don't address directly: IF...

1. the message contains linked text that looks like a URL, AND

2. the actual URL behind that link does not match the visible text, THEN

3. make a 100%-certain decision that the message is spam.

I know of no anti-spam software that does that, as an absolute test. And, yet, it should be. If legitimate email from, say, Chase, should have a visible URL for chase.com that actually links to otherchasedomain.com, the IT people responsible for that need to be rounded up and sent to Nigeria in exchange for some of the $20 MILLION US DOLLARS the Nigerians keep promising me.

I'm also actually surprised that not all of the phishing sites are polished convincing. It's not terribly hard to clone the entry page to the real web site, and just replace the login code.