We see a lot of malicious linked disguised as legitimate by abusing the <a> tag. Someone will craft a link that will display as a full link bu will really go somewhere else.
example (extra spaces in the tags to try and get them not to render)
< a href=hxxp://malicious.site/virus.exe>hxxp://google.com</a >
By displaying a valid link and using the href to go somewhere else we see a lot of virus activity. In many cases it's a new virus SEP doesn't know about yet. We find ourselves submitting 3 or 4 binaries a week this way and in the meantime cleaning up new infections.
We need the gateway to parse the html part of messages do do something like:
urlRegex = (?i)\b((?:[a-z][\w-]+:(?:/{1,3}|[a-z0-9%])|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:'".,<>?«»“”‘’]))
(http://daringfireball.net/2010/07/improved_regex_for_matching_urls)
spoofURLRegex = '<a href=\"$urlRegex\">$urlRegex</a>
if spoofURLRegex.match(email.htmlpart):
verdict = spam
Does anyone else experience this often? Have you come up with good strategies to combat it?