Suggested phishing net tuning

[Alex Neuman van der Hans]

There *is* a "Level 4" as well... Disable HTML! :D Seriously, though, I
don't get that many phishing e-mails so I don't have your experience in that
area, but I agree with you wholeheartedly.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Quentin Campbell
Sent: Monday, November 22, 2004 3:42 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Suggested phishing net tuning

>-----Original Message-----
>From: MailScanner mailing list
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>Sent: 20 November 2004 12:24
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Suggested phishing net tuning
>
>Quentin Campbell wrote:
>
>>Julian
>>
>>I have seen repeated examples of log entries similar to:
>>
>>Nov 19 05:21:10 cheviot5 MailScanner[14191]: Found phishing fraud from
>>orders at ebnerandsons.com claiming to be mailto:orders at ebnerandsons.com
>>
>>and
>>
>>Nov 19 05:30:34 cheviot5 MailScanner[14082]: Found phishing fraud from
>>www.airmileswineclub.co.uk?wine_11-04=true claiming to be
>>www.airmileswineclub.co.uk
>>
>>Why might it be dangerous to strip the prefixing "mailto:" in
>the first
>>example
>>
>Sounds fair enough.
>
>> and the appended script & arguments in the second before doing the
>>comparison?
>>
>>
>I am wary of doing that as (a) there should be a / before the ? and (b)
>could the ? be part of a username or password passed to the http server
>which could therefore be used to evade the phishing net?

There must be enough expertise on this list which could help you here by
coming together to create an informed concensus on these sorts of issues.
Dean Liversidge has made a contribution already. What about the rest of you
helping Julian out too?

It looks like tuning the phishing detector code will be a complex and
ongoing task since there is so much broken HTML around that seems to be
tolerated by display systems.

The one thing I am sure about is that unless the false positive rate can be
significantly reduced the phishing detector will be unuseable at many sites.
I am under pressure to disable the feature here. I have tried to reduce FPs
where possible by using rulesets to exempt our sending domains. In the end
though it will have to be more sophisticated parsing.

A suggestion I would like to make is to enable the "phishing net"
feature with one of 3 "risk" levels:

Level 1 would use your current, conservative, parsing. This means,
potentially, high rates of FPs because you would treat broken HTML as risky
and thus flag it.

Level 2 more aggressive parsing to reduce FPs while minimising risks (ie.
Potential for FNs).

Level 3 very aggressive parsing which deals with a wide range of broken
HTML. Would make decisions which will reduce FPs to a minimum but at the
risk of allowing more FNs.


With my experience of the phishing net detector so far I would chose to
operate it at level 3.

Thanks.

Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!