Phishing fraud question
Julian Field
mailscanner at ecs.soton.ac.uk
Thu Oct 14 09:59:44 IST 2004
<x-html>
<html>
<body>
Here's an excerpt from an abbey national phishing scam.<br><br>
<br>
<pre>To log into your account, please visit the online banking
<font face="Courier New, Courier" color="#FF0000"><a href="http://200.153.201.119:16780/">MailScanner
has detected a possible fraud attempt from
http://200.153.201.119:16780/</a></b></font><a href="http://200.153.201.119:16780/"><font color="red"><b>MailScanner has detected a possible fraud attempt from http://200.153.201.119:16780/</b></font>
http://www.abbey.com</a>
If you have questions about your online statement,
please send us a Bank Mail or call us at 1-800-374-9700
</pre>And a false positive:<br><br>
<br>
since 2001; and Otylia Jedrzejczak of Poland who won a gold medal in
Athens in the 200m butterfly finals and has committed to auctioning her
medal to help raise money for children suffering from leukemia. The
European Heroes were chosen as 'they inspire, create, devote themselves
to others, and even risk their lives...' <br>
<font color="#FF0000"><b><a href="http://www.time.com/time/europe/hero2004/mcarthur.html">MailScanner
has detected a possible fraud attempt from
http://www.time.com/time/europe/hero2004/mcarthur.html</a></b><a href="http://www.time.com/time/europe/hero2004/mcarthur.html"><font color="red"><b>MailScanner has detected a possible fraud attempt from http://www.time.com/time/europe/hero2004/mcarthur.html</b></font>
www.time.com<br><br>
</a></font><<B&Q>> UNDERGOES 'ROUND THE WORLD'
REFIT...<br>
Since returning to her French base in Lorient in mid-September, the
75-foot trimaran <br><br>
Sorry for the HTML post, but you need to see it in bold red.<br>
If you don't like the text/style, feel free to suggest
improvements.<br><br>
I just think that flagging the false positive as "banned
content" or "dangerous content" is going too
far.<br><br>
At 09:51 14/10/2004, you wrote:<br>
<blockquote type=cite class=cite cite="">Julian<br><br>
To help us give informed feedback can you please put on this list
an<br>
example "phishing" message [perhaps faked so that existing
rules will<br>
not tag it!] which has your additional warning text. I need to see
what<br>
our users would get in order to judge whether it is enough to alert
them<br>
to the possible danger of the message.<br><br>
It would also be helpful if you could include as well an example
false<br>
positive with enough text lines before and after the duff link and<br>
wraning text to give enough context.<br><br>
There is a balance to be struck here. The warning text needs to be<br>
"intrusive" enough to alert our users, particularly overseas
students,<br>
of the dangers of a true phishing message.<br><br>
On the other hand it will give rise to complaints if it appears too<br>
intrusive in the case of false positives.<br><br>
Thanks <br><br>
Quentin<br>
---<br>
PHONE: +44 191 222 8209 Information Systems and
Services (ISS),<br>
University of Newcastle,<br>
Newcastle upon Tyne,<br>
FAX: +44 191 222 8765 United Kingdom, NE1
7RU.<br>
------------------------------------------------------------------------<br>
"Any opinion expressed above is mine. The University can get its
own." <br><br>
>-----Original Message-----<br>
>From: MailScanner mailing list <br>
>[<a href="mailto:MAILSCANNER at JISCMAIL.AC.UK" eudora="autourl">mailto:MAILSCANNER at JISCMAIL.AC.UK</a>]
On Behalf Of Julian Field<br>
>Sent: 14 October 2004 09:32<br>
>To: MAILSCANNER at JISCMAIL.AC.UK<br>
>Subject: Phishing fraud question<br>
><br>
>I want your opinion.<br>
><br>
>When things like scripts and forms are detected in emails, <br>
>they are just<br>
>quietly disarmed without any subject line tagging at all.<br>
><br>
>Should I do the same with phishing fraud attempts? The warning in
the<br>
>message will be put in right next to the offending link.<br>
><br>
>It's just that phishing detection does detect quite a few <br>
>false positives<br>
>due to the stupidity of a lot of newsletter authors who put <br>
>"fake" links in<br>
>their material. I don't want people to become used to seeing <br>
>"{Dangerous<br>
>Content?}" or whatever, and therefore ignoring it.<br>
><br>
>I have tagged the subject line so far, and I think it is <br>
>already starting<br>
>to cause problems. I am tending towards removing the subject
tag.<br>
><br>
>Any thoughts please?<br>
>--<br>
>Julian Field<br>
><a href="http://www.mailscanner.info/" eudora="autourl">www.MailScanner.info</a><br>
>MailScanner thanks transtec Computers for their support<br>
>Buy the MailScanner book at
<a href="http://www.mailscanner.info/store" eudora="autourl">www.MailScanner.info/store</a><br>
><br>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415
B654<br>
><br>
>------------------------ MailScanner list
------------------------<br>
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:<br>
>'leave mailscanner' in the body of the email.<br>
>Before posting, read the MAQ
(<a href="http://www.mailscanner.biz/maq/" eudora="autourl">http://www.mailscanner.biz/maq/</a>)
and<br>
>the archives
(<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html" eudora="autourl">http://www.jiscmail.ac.uk/lists/mailscanner.html</a>).<br>
><br>
><br><br>
------------------------ MailScanner list ------------------------<br>
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:<br>
'leave mailscanner' in the body of the email.<br>
Before posting, read the MAQ
(<a href="http://www.mailscanner.biz/maq/" eudora="autourl">http://www.mailscanner.biz/maq/</a>)
and<br>
the archives
(<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html" eudora="autourl">http://www.jiscmail.ac.uk/lists/mailscanner.html</a>).</blockquote></body>
<br>
<div>-- </div>
<div>Julian Field</div>
<div><a href="http://www.mailscanner.info/" EUDORA=AUTOURL>www.MailScanner.info</a></div>
<div>MailScanner thanks transtec Computers for their support</div>
<div>Buy the MailScanner book at
<a href="http://www.mailscanner.info/store" EUDORA=AUTOURL>www.MailScanner.info/store</a></div>
<br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
</html>
------------------------ MailScanner list ------------------------
To unsubscribe, email <a href="jiscmail at jiscmail.ac.uk">jiscmail at jiscmail.ac.uk</a>
with the words:<br>
'leave mailscanner' in the body of the email.<br>
Before posting, read the MAQ (<a href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</a>)<br>and
the archives (<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</a>).
</x-html>
More information about the MailScanner
mailing list