Suggested phishing net tuning

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Tue Nov 23 10:58:07 GMT 2004 

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Alex Neuman 
>van der Hans
>Sent: 22 November 2004 14:03
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Suggested phishing net tuning
>
>There *is* a "Level 4" as well... Disable HTML! :D Seriously, though, I
>don't get that many phishing e-mails so I don't have your 
>experience in that
>area, but I agree with you wholeheartedly.
>

Alex

The problems with the phishing net catching non-phishing messages is a
major issue here.

When it catches real phishing spam it is fine. In fact it flagged three
delivered to my mailbox overnight.

However we get a lot of false positives flagged by the code and users
are getting increasingly angry and vocal about genuine messages being
messed up by the warnings.

It looks like I will have to disable the feature here. In a typical 24
hour period the logs show that the phishing detector flagged 17,740
"possible fraud" attempts.

I suspect the majority of these are false positives although this could
include a lot of mail that is otherwise spam but not fraudulent in the
"phishing" sense.

We also found that a lot of outgoing mail from here was being flagged
until I set up a ruleset to exempt mail from our domains. This is a
warning for other sites. We are increasingly moving users to
Outlook/Exchange and OWA which, unless the defaults are correctly set,
can mean that mail is sent as RTF by default. Users in any case will
often prefer to send e-mail in MTML. These behaviours have serious
consequences. 

The conversion that Microsoft does to change text to RTF is broken. It
can unexpectedly turn a simple line in a message signature into a
hypertext link that gets flagged by the "phishing net" code. It also
generates HTML that is simply wrong and/or redundant and can cause other
undesirable side effects. 

Quentin 
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list