Handling phishing false positives
David Lee
t.d.lee at DURHAM.AC.UK
Fri Jan 21 16:21:24 GMT 2005
Just over two weeks ago, we installed MS 4.37.7 and kept its new:
Find Phishing Fraud = yes
We have had very little adverse criticism in that time, but there has been
one user asking about a false positive.
I realise the setting can be a ruleset. So theoretically, we could begin
to use that as users request that certain external sources be, in effect,
whitelisted. But I see this as a potentially long piece of string (we
have a local user population of around 20,000) and some maintenance issues
lurking. (How long do we keep things? Who authorises what should be
cleaned out (and when)?)
I recall that in the early days of MS's anti-phishing, there was a
significant number of false positives, and that Julian tightened up the
code to try to address many of these. (I recall that Quentin Campbell of
Newcastle provided input to this reduction process.) Nevertheless (and
probably inevitably) the possibility of f.p.s will remain.
1. Julian: Do you have a mechanism by wish we can report "false positives"
to you so that you can see whether there are other criteria that might
help you reduce even further the f.p. rate in MS?
2. Most of us probably regard the technique of:
<a href="http://ugly.thing"> http://looks.nice.com/ </a>
as undesirable (even if technically legal) and that there is a case
for trying to educate the creators of many (most?) such things.
Might is be worth us (the MailScanner community) developing a simple,
short paragraph or text that we can hand to our local users who receive
such things, for them to pass on to the external people who sent them?
(This could be included in ths MS distribution.)
--
: David Lee I.T. Service :
: Senior Systems Programmer Computer Centre :
: University of Durham :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham :
: Phone: +44 191 334 2752 U.K. :
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list