Feature Request: Phishing

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jan 18 14:50:32 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Would you need fancy things like regexp patterns and/or wildcards, or
would simple website hostnames do? Website hostnames that I can look up
in a hash will be *considerably* faster. Then the size of the list won't
affect the time it takes to do a lookup. Checking everything like I do
with a ruleset at the moment is very slow, especially if the list grew
large.

Do people want features or speed?

Julian Field wrote:

> You can already do this with a ruleset based on the sender's email
> address. But the whitelist for this really needs to be URL-based, not
> email address-based, agreed.
>
> I'll take a look into providing a whitelist for the URL's that are
> checked in the phishing net. It would indeed come in very handy. I could
> whitelist e-mail.egg.com!
>
> Pentland G. wrote:
>
>> Julian,
>>
>> I think a possible solution could be to include a "phishing whitelist",
>> not quite sure how the concept would work yet as I'm thinking aloud a
>> little.
>>
>> This would allow a disarm action to be used as I suspect if your users
>> are broadly like mine, the complaints are likely to be from a small
>> group of mailing list users and those mails could be whitelisted around
>> the phishing code?
>>
>> Thoughts?
>>
>> Julian Field wrote:
>>
>>
>>> I purposely didn't do that as there is an inevitable false alarm
>>> rate. I don't even tag the Subject: line. Having a valid (false
>>> positive) link removed would annoy my users very quickly!
>>>
>>> Roger Jochem wrote:
>>>
>>>
>>>
>>>> I'd would like to have a way of "disarming" phishing frauds from the
>>>> e-mail instead of warning the user about it.  Could it be done?
>>>> Something like removing the <a href...> from the e-mail, disabling
>>>> the fraud. Even warning my users, some of them open the link. Maybe
>>>> because they're curious about it... Is it possible?
>>>
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list