BLOG
Blocked for phishing
A couple clients recently have had bounces from different places indicating that their mails were caught by the recipients’ anti-virus filter. These are some of my better clients sending out daily newsletters. They’ve been mailing for years and I know that they are not phishing. They asked me to investigate the bounce messages.
The information I had to work with was minimal. One bounce said:
The AntiVirus server has detected the Phishing.Heuristics.Email.SpoofedDomain virus in an email sent to you, allegedly sent by bounces*@customer.example.com. This email address may, or may not, be the originating source, as some viruses can hijack address books and in turn, send email with any of those addresses. Please take note that this virus has been destroyed and this email is a notification of virus activity and is itself virus free.
The other bounce said:
The message senders were
bounce*@bounce.example.com
Today@example.com.com
and they have been notified that they have sent a potential virus.
The message title was Customer: Subject line from email. The message date was Tue, 23 Jun 2009 12:16:13 – The virus or unauthorized code identified in the email is >>> Possible MalWare ‘Exploit/Phishing-amazon-04ee’ found in ‘5832897_2X_PM2_EMQ_MH__message.htm’. Heuristics score: 202
The real clue came when I looked at the emails that triggered the bounce. In both cases, my clients were linking to Amazon.com with a re-director link. There are many filters out there that look at the visible text of a link and compare it with the link target. If the link points to one domain like a re-director but the visible text points to another, this may trigger some spam or virus filters to intercept the email.
My experience suggests this happens more often when the domain used in the visible text is one of those domains that are heavily phished: amazon.com, ebay.com, bank websites, etc. The solution is to not include a domain name in the visible text portion of a link. Instead of “Go buy the DVDs at <a href=”http://www.example.com/linkdomain/”>Amazon.com</a>,” change the link to “Go <a href=”http://www.example.com/linkdomain/”>buy the DVDs</a> at Amazon.com.” Same content, same call to action, but no chance of the email getting caught in a phish filter.
I just received an email from a subscriber today on this precise issue. I had an Amazon link in the newsletter; however, I did not use the domain name as the anchor text.
Any thoughts?
I’ve also seen this happen when the link isn’t in the anchor text, but is present in the URL itself. A link that looks like http://redirector.example.com/amazon.com/ does sometimes trigger the phishing filters.
Interesting issue that so I just did a test with GroupMetrics which is a redirection tracking service http://www.group-metrics.com and there didn’t see to be any problems with blocking when I used an ebay.com link.
I think because the actual URL is in the same tag as the redirection URL so there should be no false positive phishing filter being triggered.
Try it out on your own links and see how it goes, I’m curious myself. The service if free to sign up to anyway and you get 100 credits free for testing.
We have avoided this heuristic in SpamAssassin for years because of this risk, btw. too many false positives in existing nonspam mail…
I don’t think it was SpamAssassin in either case, and it does seem to be relatively rare. But there are at least 2 different filters out there catching this mail.