how to write an anti-phishing ruleset (and test?)
John Wilcock
john at TRADOC.FR
Thu Nov 18 07:16:34 GMT 2004
On Wed, 17 Nov 2004 17:53:15 +0000, Julian Field wrote:
> >A better solution IMO would be the ability to whitelist based on the
> >actual domain in the URL. I don't care in the slightest if
> >click2.ebay.com claims to be www.ebay.fr, but I really don't want
> >ebay-phisher.com to get away with the same claim!
> >
> >John.
> >
> Does the file need to be any more than a list of hostnames? Do I need to
> allow *.domain.com as well? What syntax would you like for this file?
> Should it just look like any other ruleset file? It would be interpreted
> differently as the "direction" in the rule would be ignored, or it would
> only allowed to be "From". The address pattern would be used to match
> the hostname of the real destination of the link, only the hostname bit
> of the address pattern would be used.
>
> It's purpose is similar to a normal ruleset, but not quite the same. I
> don't want to end up confusing users.
Firstly, I think you want to keep the Find Phishing Fraud setting as it
is, in case anyone wants to use a standard address-based ruleset for
this.
As to the phishing whitelist, I think all that is needed is a list of
hostnames, yes. If you want it to look like a standard ruleset for
consistency, fair enough. Wildcards would be useful, though not
essential judging on the small sample available to me.
While we're at it, trying to get this as near perfect as possible, how
about a Log Phishing Fraud setting, analogous to the current Log Iframe
Tags, to allow people to build up their whitelist before enabling the
detection.
John.
--
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list