Handling phishing false positives

Thomas R McBride tom at cci.net
Tue Jan 25 19:52:48 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Regarding phishing ruleset  in  4.37.7
I have been unable to get that ruleset to work
either setting the default setting to yes or no
when setting the default to no it still flags phishing attempts
when setting the default to yes the domains set to no still are flagged.

When changing the MailScanner.conf setting to not use ruleset
works as expected --.


====================================================
Thomas McBride         CORPORATE COMPUTER, INC.
Voice 206.365.3113     11300 25th AVE NE
Fax   206.365.2526     Seattle Washington 98125-6639
Email tom at cci.net      U.S.A
Help  helpdesk at cci.net
====================================================


>
>
> Just over two weeks ago, we installed MS 4.37.7 and kept its new:
>     Find Phishing Fraud = yes
>
> We have had very little adverse criticism in that time, but
> there has been
> one user asking about a false positive.
>
> I realise the setting can be a ruleset.  So theoretically, we
> could begin
> to use that as users request that certain external sources
> be, in effect,
> whitelisted.  But I see this as a potentially long piece of string (we
> have a local user population of around 20,000) and some
> maintenance issues
> lurking.  (How long do we keep things?  Who authorises what should be
> cleaned out (and when)?)
>
> I recall that in the early days of MS's anti-phishing, there was a
> significant number of false positives, and that Julian
> tightened up the
> code to try to address many of these.  (I recall that Quentin
> Campbell of
> Newcastle provided input to this reduction process.)
> Nevertheless (and
> probably inevitably) the possibility of f.p.s will remain.
>
> 1. Julian: Do you have a mechanism by wish we can report
> "false positives"
>     to you so that you can see whether there are other
> criteria that might
>     help you reduce even further the f.p. rate in MS?
>
> 2. Most of us probably regard the technique of:
>        <a href="http://ugly.thing"> http://looks.nice.com/ </a>
>     as undesirable (even if technically legal) and that there
> is a case
>     for trying to educate the creators of many (most?) such things.
>
>     Might is be worth us (the MailScanner community)
> developing a simple,
>     short paragraph or text that we can hand to our local
> users who receive
>     such things, for them to pass on to the external people
> who sent them?
>     (This could be included in ths MS distribution.)
>
>
> --
>
> :  David Lee                                I.T. Service          :
> :  Senior Systems Programmer                Computer Centre       :
> :                                           University of Durham  :
> :  http://www.dur.ac.uk/t.d.lee/            South Road            :
> :                                           Durham                :
> :  Phone: +44 191 334 2752                  U.K.                  :
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list