Phishing detection gets confused by malformed HTML
MailScanner at ecs.soton.ac.uk
Thu Feb 17 10:00:59 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
John Wilcock wrote:
> If you have a bit more time for phishing mods, how about the two false
> positive cases I reported in January?
>> Click here to <a href="http://www.example.com/">visit
Only looking at the last "word" in the text is a dodgy thing to do as
spammers could completely defeat it by putting in 1 space in the text,
and most users wouldn't notice the extra space.
>> <a href="http://www.example.com/">all about .net technology</a>
Look for .net with a space both sides of it? It would help but wouldn't
be a complete solution by any means.
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner