Suggested phishing net tuning

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Mon Nov 22 08:42:07 GMT 2004 

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>Sent: 20 November 2004 12:24
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Suggested phishing net tuning
>
>Quentin Campbell wrote:
>
>>Julian
>>
>>I have seen repeated examples of log entries similar to:
>>
>>Nov 19 05:21:10 cheviot5 MailScanner[14191]: Found phishing fraud from
>>orders at ebnerandsons.com claiming to be mailto:orders at ebnerandsons.com
>>
>>and
>>
>>Nov 19 05:30:34 cheviot5 MailScanner[14082]: Found phishing fraud from
>>www.airmileswineclub.co.uk?wine_11-04=true claiming to be
>>www.airmileswineclub.co.uk
>>
>>Why might it be dangerous to strip the prefixing "mailto:" in 
>the first
>>example
>>
>Sounds fair enough.
>
>> and the appended script & arguments in the second before doing the
>>comparison?
>>
>>
>I am wary of doing that as (a) there should be a / before the ? and (b)
>could the ? be part of a username or password passed to the http server
>which could therefore be used to evade the phishing net?

There must be enough expertise on this list which could help you here by
coming together to create an informed concensus on these sorts of
issues. Dean Liversidge has made a contribution already. What about the
rest of you helping Julian out too?

It looks like tuning the phishing detector code will be a complex and
ongoing task since there is so much broken HTML around that seems to be
tolerated by display systems.

The one thing I am sure about is that unless the false positive rate can
be significantly reduced the phishing detector will be unuseable at many
sites. I am under pressure to disable the feature here. I have tried to
reduce FPs where possible by using rulesets to exempt our sending
domains. In the end though it will have to be more sophisticated
parsing.

A suggestion I would like to make is to enable the "phishing net"
feature with one of 3 "risk" levels:

Level 1 would use your current, conservative, parsing. This means,
potentially, high rates of FPs because you would treat broken HTML as
risky and thus flag it. 

Level 2 more aggressive parsing to reduce FPs while minimising risks
(ie. Potential for FNs).

Level 3 very aggressive parsing which deals with a wide range of broken
HTML. Would make decisions which will reduce FPs to a minimum but at the
risk of allowing more FNs.


With my experience of the phishing net detector so far I would chose to
operate it at level 3. 

Thanks.

Quentin 
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list