Suggested phishing net tuning (more examples)

Julian Field mailscanner at ecs.soton.ac.uk
Sat Nov 20 12:25:32 GMT 2004


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Fair enough. I will take a look at this next week, and have a go at
rewriting the net to be more agressive with its data while minimising
false negatives.

Quentin Campbell wrote:

>Julian
>
>A difficult false positive example is:
>
>Nov 19 04:15:18 cheviot5 MailScanner[14191]: Found phishing fraud from
>support at pegasusworks.com?subject=unsubscriberequest for j.bloggs at ncl.ac.uk
>claiming to be emailsupport at pegasusworks.com
>
>Is it impossible to parse this safely before comparing the strings?
>
>A more common type of false positive is:
>
>Nov 19 05:51:14 cheviot5 MailScanner[14163]: Found phishing fraud from
>www.worldonaplate.com claiming to be worldonaplate.com
>
>I can see why you might be unwilling to remove the "www." from the actual
>link before doing the comparison but is it really that unsafe?
>
>What is a good and useful feature still has a false positive rate that is
>unacceptably high.
>
>Could your editing of the strings in the hypertext link be done more
>aggressively before comparison? I know this may risk a possible rise in
>the false negative rate but there are other detectors in MailScanner which
>you acknowledge have a non-zero false negative rate.
>
>I would be willing to see the false negative rate increase slightly in
>order to reduce the number of times we cry "wolf!"
>
>Quentin
>--
>PHONE: +44 191 222 8209     Computing Service, University of Newcastle
>FAX:   +44 191 222 8765     Newcastle upon Tyne, United Kingdom, NE1 7RU.
>-------------------------------------------------------------------------
>"Any opinions expressed above are mine. The University can get its own."
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list