Anti fraud FPs
[ISO-8859-1] João Gouveia
jgouveia at GMAIL.COM
Thu Aug 18 11:44:14 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
On 8/18/05, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
> Ah, okay, I misunderstood you. The phishing net does handle certain
> text within square brackets specially, so you're putting other text
> inside squares brackets would have been a perfectly valid problem to
> All you need to do is add the site to your phishing.safe.sites.conf
> file, that's what it is there for.
That would be a solution for specific sites that trigger the rules.
Not as a generic solution to avoid the FPs generated by common
> If you can come up with a way of differentiating ".NET",".Net" or
> ".net" from ".net" then I am all ears :-)
The problem is that a simple sentence is beeing indicated as a fraud
attempt. There's nothing diferenciating a sentence from a URL or URI,
besides from the TLD check that can match normal sentences when they
contain words like "info" or "biz", or any TLD that's a regular word.
For example, I've wrote above:
"That would be a solution for specific sites that trigger the rules.
Not as a generic solution to avoid the FPs. "
If "not" would be a valid TLD, and that sentence was inside a link,
the message would be flagged as fraud attempt with something like:
MailScanner has detected a possible fraud attempt from
"www.google.com" claiming to be That would be a solution for specific
sites that trigger the rules. Not as a generic solution to avoid the
I understand that fixing that might open a window for other kind of
attacks, but I cannot afford having my boss (just an example) to
complaint that our system said that his mail was a "fraud attempt", so
at the moment I'm facing two choices:
1) Deactivate that trigger
2) Patch mailscanner so it would trigger only if there's a good
chance of the content beeing a URI. A good way to do this is to look
at the URIDBSNL plugin code from SpamAssassin. It seams to work ok.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner