Handling phishing false positives
Julian Field
MailScanner at ecs.soton.ac.uk
Fri Jan 21 16:31:41 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
The latest beta includes a "phishing whitelist" so that in your example
below you would add
ugly.thing
to the whitelist file and it would not be caught by the phishing net.
This means you can pretty much eliminate false positives altogether
after a while.
David Lee wrote:
> Just over two weeks ago, we installed MS 4.37.7 and kept its new:
> Find Phishing Fraud = yes
>
> We have had very little adverse criticism in that time, but there has
> been
> one user asking about a false positive.
>
> I realise the setting can be a ruleset. So theoretically, we could begin
> to use that as users request that certain external sources be, in effect,
> whitelisted. But I see this as a potentially long piece of string (we
> have a local user population of around 20,000) and some maintenance
> issues
> lurking. (How long do we keep things? Who authorises what should be
> cleaned out (and when)?)
>
> I recall that in the early days of MS's anti-phishing, there was a
> significant number of false positives, and that Julian tightened up the
> code to try to address many of these. (I recall that Quentin Campbell of
> Newcastle provided input to this reduction process.) Nevertheless (and
> probably inevitably) the possibility of f.p.s will remain.
>
> 1. Julian: Do you have a mechanism by wish we can report "false
> positives"
> to you so that you can see whether there are other criteria that might
> help you reduce even further the f.p. rate in MS?
>
> 2. Most of us probably regard the technique of:
> <a href="http://ugly.thing"> http://looks.nice.com/ </a>
> as undesirable (even if technically legal) and that there is a case
> for trying to educate the creators of many (most?) such things.
>
> Might is be worth us (the MailScanner community) developing a simple,
> short paragraph or text that we can hand to our local users who
> receive
> such things, for them to pass on to the external people who sent them?
> (This could be included in ths MS distribution.)
>
>
> --
>
> : David Lee I.T. Service :
> : Senior Systems Programmer Computer Centre :
> : University of Durham :
> : http://www.dur.ac.uk/t.d.lee/ South Road :
> : Durham :
> : Phone: +44 191 334 2752 U.K. :
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list