Why no subject changes or higher score for this phishing email?

[Mark Sapiro]

On 10/28/25 20:50, betsys at well.com wrote:
> Got a piece of mail identified as ham, with no header changes. The 
> Hidden URL’s were correctly highlighted.
> 
> I would have expected this to put up some sort of phishing alert. Do I 
> need to enable *Disarmed Modify Subject* for this?

Yes, if you want it flagged in the Subject:. It is flagged in the 
message body in any case.

> I disabled the Disarmed Modify  Subject because it was getting added to 
> every single message with a hidden link, seemed like, many innocent 
> messages.

The disarming applies to any `a` tag with display text that looks like a 
url or web address that doesn't match the host in the target. Yes, this 
can happen to `innocent` mail that uses things like tracking links that 
ultimately redirect to the display text address after collecting 
tracking information. Granted, these aren't true phishing attacks, but 
my personal view is they are just as bad.

Whether or not you want the disarming to be flagged in the Subject: 
header is up to you, and you can use a ruleset to do it selectively 
based on the sender and/or recipient, but not on the actual content of 
the tag. You can also exempt certain senders using the 
phishing.safe.sites.custom file.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan