Call me simple-minded, but it seems to me that the most obvious characteristic of a phishing spam is a link that poses as an apparent URL that hides a totally different URL — for example, it says www.intuit.com but in fact it goes to some t.com URL. I’ve noticed that SpamSieve quite often misses these. Isn’t there some way to just jump past all the Bayesian probability theory and teach SpamSieve this simple rule? I mean, gosh, even my 95-year-old mother understands this one. (Well, she sort of does.)