Phishing fraud question

[Julian Field]

<x-flowed>
At 12:25 14/10/2004, you wrote:
>On Thu, 14 Oct 2004 11:08:11 +0100, Julian Field wrote:
> > >Are the majority of the false positives like the example you just sent,
> > >i.e. a different page on the same host?
> >
> > Mostly, but not all.
> >
> > >If so, perhaps you could decide to flag as dangerous content if and only
> > >if the host is different? After all, if the link is simply going
> > >somewhere else on the same site there is little, if any, real danger.
> >
> > Trying to match up any more than I already do is fraught with problems.
> > People can add in usernames, passwords, all sorts of things to make parsing
> > the URL very hard. At the moment I only have to look at the "simple" stuff
> > at the beginning.
>
>Huh? Surely just checking the host would involve matching up *less*, not
>more. If there's any difference in what's between the http:// and the
>first / (or, as was pointed out on sa-users, if there's a difference in
>scheme, e.g. http masquerading as https) then flag as dangerous; if the
>only difference is after the first single slash then don't. This would
>cut down FPs without adding any significant FNs.

You are absolutely right. I have incorporated the change.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>