[FoRK] Freely Available Filtering Systems, Information Filtering Resources

Justin Mason < jm at jmason.org > on > Thu Nov 9 10:51:31 PST 2006

Tony Finch writes:
> On Thu, 9 Nov 2006, Ken Meltsner wrote:
> >
> > I've been trying to think of a good way to determine whether a message
> > is phishing, although URLs for servers with numeric addresses or in
> > the Czech Republic are usually a reliable indicator....
> A fairly practical technique is to spot links like
> <a href="http://phishersite.com">http://legitsite.com</a>
> but you need a whitelist for legitimate mailings with bad URL hygeiene.

That is *extremely* common practice, sadly -- even with the HTTPS variant.
See http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4255 for
details and examples.

It would *seem* that a rule that looks for "http" links using "https://"
link strings in the anchor text would be a good phish-sign, right?  wrong.
Banks love doing this, so that their mktg depts can track click-through
rates using a third-party click-counter script (set up on a http:// url,
natch).  ffs.

The phished companies, as far as I can tell, just refuse to understand
that by sending out horrible, HTML-laden mail designed by the marketing
dept to look pretty, instead of being non-phish-able and secure, they're
just shooting themselves in the foot.  

On one anti-spam list I'm on, we regularly play "phish or phoul", where we
post the latest horrible monstrosity and ask people to guess if it's the
real deal.  Even we in the professional spam-blocking community have a
hard time figuring it out in many cases.  (the big credit card companies
are the worst.)

There are several very simple ways they can avoid being phished, and I
personally *know* many techies inside the companies making those points --
but it's more attractive to their management to produce nice-looking
mailouts, outsource mail sending, and get clickthrough figures -- all
things that allow confusion between their own mails and the phish copies.

I suppose this is because the rate of phishing fraud just doesn't impact
their profits enough.  In the meantime, the usefulness of email drops and
drops, as users become less and less confident in its trustworthiness.



More information about the FoRK mailing list