IP phishing false positive
Mark Nienberg
mark at TIPPINGMAR.COM
Fri Apr 15 20:30:44 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Denis Beauchemin wrote:
> Mark Nienberg wrote:
>
>> MailScanner is warning about phishing fraud for links that contain IP
>> addresses even if the IP address matches the display text.
>> <http://192.168.254.43>Example:
>>
>> MailScanner has detected a possible fraud attempt from "192.168.1.1"
>> claming to be http://192.168.1.1
>>
>> MailScanner 4.40.11-1
>>
> Marc,
>
> This is probably why:
> # While detecting "Phishing" attacks, do you also want to point out links
> # to numeric IP addresses. Genuine links to totally numeric IP addresses
> # are very rare, so this option is set to "yes" by default. If a numeric
> # IP address is found in a link, the same phishing warning message is
> used
> # as in the Find Phishing Fraud option above.
> # This can also be the filename of a ruleset.
> Also Find Numeric Phishing = yes
>
> Denis
>
I think it should first make sure the link and the display name are
different before it flags as fraudulent. There is no fraud attempt if
the two match.
--
Mark Nienberg, SE
Tipping Mar + associates
1906 Shattuck Ave
Berkeley, CA 94704
http://www.tippingmar.com
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list