Handling phishing false positives

[John Wilcock]

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian Field wrote:
> The code has changed a bit since 4.37, so hopefully the FP rate has
> dropped.
> Other than that, report FP's to me and I'll see what I can do.

The FP rate has indeed dropped. About the only FPs I'm still seeing with
4.38.4 that it ought to be possible to detect are cases with some text
within the <a> tags in addition to the correct URL:

> Click here to <a href="http://www.example.com/">visit www.example.com</a>

I'm also seeing cases of text that looks vaguely like a URL but isn't
getting detected:

> <a href="http://www.example.com/">All about .net technology</a>

Also, I just sent myself the examples above to an externally-hosted
address as a test message. As a result they passed through MailScanner
twice, and got detected as phishing on the way out *and* again on the
way back in! But I guess fixing the above cases will effectively stop
this double detection in its tracks.

> Click here to <a href="http://www.example.com/"></b></font><font
> color="red"><b>MailScanner has detected a possible fraud attempt from
> "www.example.com" claiming to be</b></font> <font
> color="red"><b>MailScanner has detected a possible fraud attempt from
> "www.example.com" claiming to be visit www.example.com</a><br>


John.

--
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!