[danielweber]

My brain is a bit fried, but what about a rule that "if the text contained in the <a> tag is a FQDN, it should match the FQDN in the href exactly"?

What are the false positives?

[plorkyeran]

Things like Google results that go through a redirector for click tracking.

[yebyen]

So, another practice that should be highlighted and made to stop.

[takluyver]

The easiest way to recognise the link text as a FQDN would be to check for http:// or www., but even without them (i.e. google.com/foo) users will still assume it's a URL. If attackers get creative with unicode (e.g. google۔com using U+06D4), it could be pretty difficult to identify text that looks like a link.

[pserwylo]

This is where my appliaction of a "privacy" idea to a "security" problem falls down.

With privacy, I try to be pretty vigilant, but I don't do everything in my power to prevent tracking. I am more worried with companies collecting large swathes of data on my behaviour rather than the odd tidbit. I'm quietly hopeful that analytics, advertising et al. companies will not go to such ingeniously dodgey methods for tracking peoples behaviour (though being hopeful is very different than expecting them not to be dodgey).

But who knows, as a filter that might catch a portion of phishing links, it may have some use.