Phishing detection gets confused by malformed HTML

Julian Field MailScanner at ecs.soton.ac.uk
Fri Feb 18 09:00:23 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I'll definitely give that some thought, thanks.

John Wilcock wrote:

> John Wilcock wrote:
>
>> <a href="http://phisher.com"/><span style=invisible>
>> phisher.com</span>yourbank.<span style=tiny> </span>com</a>
>>
>> I can't see any way you could detect things like that and worse, yet not
>> trigger on my example above. Forget I asked - you're one step ahead of
>> most of us as usual.
>
>
> One false positive yesterday where I think your phishing net *has* been
> over-zealous:
>
>> <a href= "http://erp.ittoolbox.com/news/nr.asp?i=126520">
>> <font color="red"><b>MailScanner has detected a possible fraud attempt
>> from "erp.ittoolbox.com" claiming to be</b></font> To start up
>> here, companies hire over there</a>
>
>
> Presumably this is due to the comma in there which could conceivably be
> used to disguise a URL.
>
> Idea: would it be possible to be more lenient with what you allow if
> there's no markup within the <a> tag, and only apply your more
> aggressive net if it looks like the sender is using markup (small size,
> white on white or whatever) to disguise ordinary text as a URL, as in my
> example quoted at the top of this message.
>
> By "more lenient" I'm thinking along the lines of only triggering if
> there's something looks more like a URL, e.g. require that there be a
> dot followed by an actual TLD (either a known gTLD or any two-letter
> ccTLD) in there, for example.
>
> John.
>
> --
> -- Over 2500 webcams from ski resorts around the world - www.snoweye.com
> -- Translate your technical documents and web pages    - www.tradoc.fr
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list