Suggested phishing net tuning (more examples)

Mon Nov 22 09:43:07 GMT 2004

Julian

What version can this Message.pm be applied to?

Also I know it's a pain, but would a full beta be better so us users can
  track where we are..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

Julian Field wrote:
> I have worked in checks for these and also for mailto links. Please keep
> providing the feedback, this is by nature a very fuzzy matching system
> and it will take time to perfect it.
>
> Quentin Campbell wrote:
>
>> Julian
>>
>> A difficult false positive example is:
>>
>> Nov 19 04:15:18 cheviot5 MailScanner[14191]: Found phishing fraud from
>> support at pegasusworks.com?subject=unsubscriberequest for
>> j.bloggs at ncl.ac.uk
>> claiming to be emailsupport at pegasusworks.com
>>
>> Is it impossible to parse this safely before comparing the strings?
>>
>> A more common type of false positive is:
>>
>> Nov 19 05:51:14 cheviot5 MailScanner[14163]: Found phishing fraud from
>> www.worldonaplate.com claiming to be worldonaplate.com
>>
>> I can see why you might be unwilling to remove the "www." from the actual
>> link before doing the comparison but is it really that unsafe?
>>
>> What is a good and useful feature still has a false positive rate that is
>> unacceptably high.
>>
>> Could your editing of the strings in the hypertext link be done more
>> aggressively before comparison? I know this may risk a possible rise in
>> the false negative rate but there are other detectors in MailScanner
>> which
>> you acknowledge have a non-zero false negative rate.
>>
>> I would be willing to see the false negative rate increase slightly in
>> order to reduce the number of times we cry "wolf!"
>>
>> Quentin
>> --
>> PHONE: +44 191 222 8209     Computing Service, University of Newcastle
>> FAX:   +44 191 222 8765     Newcastle upon Tyne, United Kingdom, NE1 7RU.
>> -------------------------------------------------------------------------
>> "Any opinions expressed above are mine. The University can get its own."
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>>
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!