Feature Request: Phishing

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jan 18 17:17:14 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

How about this? Anyone want to test it for me please? I'll put out a new
beta if you want it.

There is now a new configuration option:

# There are some companies, such as banks, that insist on sending out
# email messages with links in them that are caught by the "Find Phishing
# Fraud" test described above.
# This is the name of a file which contains a list of link destinations
# which should be ignored in the test. This may, for example, contain
# the known websites of some banks.
# See the file itself for more information.
# This can only be the name of the file containing the list, it *cannot*
# be the filename of a ruleset.
Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf

The contents of the example file is this:

#
# This file contains the list of all the sites which can be safely
# ignored in the "phishing fraud" checks.
# The entries here are 1 per line, and are the full hostnames of
# the *real* destinations of links which would be caught by the checks.
# So if you had HTML that looked like this:
#
#     Please tell us at <a href="http://email.bank.com/">Bank.com</a>
#
# then you should add
#     email.bank.com
# to this file.
#
# Note: Do not add any form of wildcard, regular expression or anything
#       other than a fully qualified hostname to this file. It won't work.

www.example.com




John Wilcock wrote:

> Julian Field wrote:
>
>> John Wilcock wrote:
>>
>>> I can't see a need for regexes. Simple wildcards (*.domain.com)
>>> would be
>>> more convenient but by no means essential, at least judging by the
>>> sample of phishing mail we get here.
>>
>>
>> Wildcards would be no better than allowing full regexps. It would need
>> to be full hostnames of the website concerned. Is that okay?
>
>
> I'll vote for that, yes.
>
>>
>>> Or how about a wacky idea - an option to look the hostname up in a
>>> DNS-based whitelist, SURBL-style. For particularly large whitelists I
>>> expect the performance from a local rbldnsd server ought to be good
>>> enough.
>>
>>
>>
>> Eek! Sounds like a good idea, but I think very very few people would
>> actually use it.
>
>
> Probably true, unless of course someone with good connectivity were to
> set up a *publicly-available* DNS-based phishing URL whitelist that we
> could all contribute to.
>
> John.
>
> --
> -- Over 2500 webcams from ski resorts around the world - www.snoweye.com
> -- Translate your technical documents and web pages    - www.tradoc.fr
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list