Suggested phishing net tuning (more examples)

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Fri Nov 19 15:35:22 GMT 2004


A difficult false positive example is:

Nov 19 04:15:18 cheviot5 MailScanner[14191]: Found phishing fraud from
support at for j.bloggs at
claiming to be emailsupport at

Is it impossible to parse this safely before comparing the strings?

A more common type of false positive is:

Nov 19 05:51:14 cheviot5 MailScanner[14163]: Found phishing fraud from claiming to be

I can see why you might be unwilling to remove the "www." from the actual
link before doing the comparison but is it really that unsafe?

What is a good and useful feature still has a false positive rate that is
unacceptably high.

Could your editing of the strings in the hypertext link be done more
aggressively before comparison? I know this may risk a possible rise in
the false negative rate but there are other detectors in MailScanner which
you acknowledge have a non-zero false negative rate.

I would be willing to see the false negative rate increase slightly in
order to reduce the number of times we cry "wolf!"

PHONE: +44 191 222 8209     Computing Service, University of Newcastle
FAX:   +44 191 222 8765     Newcastle upon Tyne, United Kingdom, NE1 7RU.
"Any opinions expressed above are mine. The University can get its own."

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list