HTML base tags used for phishing, spam, etc.

[Ricky Boone]

Before creating an issue in the Github project, I thought I'd start here to
see what others thought.

I'm seeing a number of reported phishing and spam messages come to me where
the bad actor is utilizing the HTML base tag.  I can see where there may be
some legitimate use cases for the base tag in an email, however this seems
to be a way for a bad actor to obfuscate their links, preventing automatic
analysis from considering the full URL, and only seeing the base tag and
"relative" URLs separately.

I don't know if outright blocking the base tag is the right approach, but I
see that there have been other discussions in the past on other sites about
the topic.  For example:

https://www.avanan.com/resources/basestriker-vulnerability-office-365

So my thought is, perhaps an option could be added to block or rewrite the
href value of the base tag, and have a whitelist of URLs that would be
ignored.  Another thought would be to somehow combine the base href and
subsequent relative hrefs together when being evaluated by MailScannner and
SpamAssassin, but that seems a bit more cumbersome.

Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190927/704c9e89/attachment.html>