Suggested phishing net tuning

Dean Liversidge dean at MYSTERIOUSPLANET.CO.UK
Sun Nov 21 23:56:40 GMT 2004

On Sat, 20 Nov 2004 12:23:39 +0000, you wrote:

>>Why might it be dangerous to strip the prefixing "mailto:" in the first
>Sounds fair enough.
>> and the appended script & arguments in the second before doing the
>I am wary of doing that as (a) there should be a / before the ? and (b)
>could the ? be part of a username or password passed to the http server
>which could therefore be used to evade the phishing net?

I dont know if the trailing / is a requirement or not, but it would
seem nearly everyone doenst use it. I know incorrect usage doesnt make
it right

Im not an expert, but my thoughts would be to drop any mailto: prefix,
as most display text wouldnt include that, and drop anything after the
first non acceptable domain name character set, so anything / or ? and
after would go, since it looks ugly to have a display part showing
parameters - most dont show it

Creaters should know better than to mismatch the www. part of a url,
and these could be completly different websites and my thoughts would
be to make the creaters do the work properly, and fix their url's.

That said, different hosts within a domain come from the original
'trusted' parent domain, i think it would be acceptable to trust a
hostname within the domain, but i see a problem there with how many
levels of name to match, you cant just accept one extra level of child
domain, or you may get something like
display=http://org    link=

and at the top level domain who knows who to trust...

Dean Liversidge

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list