Phishing fraud question

[John Wilcock]

On Thu, 14 Oct 2004 11:08:11 +0100, Julian Field wrote:
> >Are the majority of the false positives like the example you just sent,
> >i.e. a different page on the same host?
> 
> Mostly, but not all.
> 
> >If so, perhaps you could decide to flag as dangerous content if and only
> >if the host is different? After all, if the link is simply going
> >somewhere else on the same site there is little, if any, real danger.
> 
> Trying to match up any more than I already do is fraught with problems.
> People can add in usernames, passwords, all sorts of things to make parsing
> the URL very hard. At the moment I only have to look at the "simple" stuff
> at the beginning.

Huh? Surely just checking the host would involve matching up *less*, not
more. If there's any difference in what's between the http:// and the
first / (or, as was pointed out on sa-users, if there's a difference in
scheme, e.g. http masquerading as https) then flag as dangerous; if the
only difference is after the first single slash then don't. This would
cut down FPs without adding any significant FNs. Or am I missing
something?

John.

-- 
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).