Re: URL switching in e-mails

[Alan Amesbury <amesbury () OITSEC UMN EDU>]

Valdis Kletnieks wrote:

> If the intent was to send HTML, then MailScanner's "solution" *will*
> result in unreadable text.  I don't blame the users for complaining.
>
> Perhaps you need to do what SlashDot does - provide an option for a *small*
> tag identifying the real target:
>
> < a href="http://www.real-url.com";>Your Bank Here</a> <b>[real-url.com]</b>
>
> if the text and the href don't match.
>
> Of course, for properly designed HTML, the two *shouldn't* match, because
> even the < a href="http://www.google.com>Click here for more info</a> abusage
> doesn't match.  If they *do* match, the visible text is an ugly URL rather than
> nice readable text... ;)

One problem with doing that automagically is when the phishing URL
points to a host like

    www.paypal.com cgi-bin webscr cmd--secure-amp-sh-u
https.hurricane.xycum.com


("from the wild" example taken from phishing e-mail received last
month).  I suspect at least some users will see the "www.paypal.com"
part at the beginning of the host name, fail to read the rest of the
name, and simply act as if it's legit.  Rewriting those parts of the
message would seem to be the safest, at least in terms of protecting the
users.

That said, I *really* dislike the idea of tampering with message
content, too.  I'll be interested in hearing if anyone's found an ideal
solution to this problem.


--
Alan Amesbury
University of Minnesota