Anti fraud FPs

Julian Field MailScanner at ecs.soton.ac.uk
Thu Aug 18 11:18:47 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ah, okay, I misunderstood you. The phishing net does handle certain  
text within square brackets specially, so you're putting other text  
inside squares brackets would have been a perfectly valid problem to  
raise.

All you need to do is add the site to your phishing.safe.sites.conf  
file, that's what it is there for.

If you can come up with a way of differentiating ".NET",".Net" or  
".net" from ".net" then I am all ears :-)

On 18 Aug 2005, at 11:11, João Gouveia wrote:

> Hi,
>
> On 8/18/05, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Well your posting to the list reached me perfectly intact, so that
>>
>
> That would be because I've replaced all < and > with [ and ], and sent
> a plain text message (no html in it), so it WOULD reach you. :-)
> I can send the HTML message, but if that one is blocked, it doesn't
> make much sense sending it does it?
>
>
>> would imply that more recent versions do not suffer this problem. The
>> phishing net is a constantly changing beast (if a net can be a  
>> beast :-)
>>
>> On 18 Aug 2005, at 00:39, João Gouveia wrote:
>>
>>
>>> Hi all,
>>>
>>> We're getting some FPs with the standard "claiming to be" anti
>>> fraud message.
>>> This happens because people send (ham) HTML email messages that
>>> contain HREFs with content that's beeing wrongly interpreted as a  
>>> URI.
>>> Some examples of messages triggering the anti fraud warning
>>>
>>> * [a href="http://www.google.com"]This triggers. Info it's beeing
>>> interpreted as a TL.D.[/a]
>>>
>>> * Check this article about [a href="http://www.google.com"]standard
>>> features of Microsoft .NET[/a]
>>>
>>> Is this the standard behaviour for recent versions of MailScanner?
>>> We're using 4.41.
>>> Although right now we have only a few complains, I'm thinking about
>>> turning of this anti-fraud mechanism because I feal it's prone to
>>> cause too many FPs.
>>> What does your experience say?
>>>
>>> Thanks.
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> - --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.0.2 (Build 2425)
>>
>> iQA/AwUBQwRF7BH2WUcUFbZUEQJ+fQCfUdk6d1S6rwxzlV1LpZgRen7iWZAAoL/T
>> jfGQG+4rrEKTCCsMjCEVZcEU
>> =p7pF
>> -----END PGP SIGNATURE-----
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)

iQA/AwUBQwRgixH2WUcUFbZUEQII2wCgw5VRYqfv0AtoLbKWyYUjivNfFp4An3tU
7FtEV3K4j48eHegLeVB0EfmU
=DXAY
-----END PGP SIGNATURE-----

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list