Anti fraud FPs

[ISO-8859-1] João Gouveia jgouveia at GMAIL.COM
Thu Aug 18 11:44:14 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On 8/18/05, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
(..)
> Ah, okay, I misunderstood you. The phishing net does handle certain
> text within square brackets specially, so you're putting other text
> inside squares brackets would have been a perfectly valid problem to
> raise.
> 
> All you need to do is add the site to your phishing.safe.sites.conf
> file, that's what it is there for.

That would be a solution for specific sites that trigger the rules.
Not as a generic solution to avoid the FPs generated by common
sentences.

> If you can come up with a way of differentiating ".NET",".Net" or
> ".net" from ".net" then I am all ears :-)

The problem is that a simple sentence is beeing indicated as a fraud
attempt. There's nothing diferenciating a sentence from a URL or URI,
besides from the TLD check that can match normal sentences when they
contain words like "info" or "biz", or any TLD that's a regular word.
For example, I've wrote above:
"That would be a solution for specific sites that trigger the rules.
Not as a generic solution to avoid the FPs. "
If "not" would be a valid TLD, and that sentence was inside a link,
the message would be flagged as fraud attempt with something like:

"
MailScanner has detected a possible fraud attempt from
"www.google.com" claiming to be That would be a solution for specific
sites that trigger the rules. Not as a generic solution to avoid the
FPs
" 

I understand that fixing that might open a window for other kind of
attacks, but I cannot afford having my boss (just an example) to
complaint that our system said that his mail was a "fraud attempt", so
at the moment I'm facing two choices:

1)  Deactivate that trigger
2)  Patch mailscanner so it would trigger only if there's a good
chance of the content beeing a URI. A good way to do this is to look
at the URIDBSNL plugin code from SpamAssassin. It seams to work ok.

Best regards,

Joao Gouveia

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list