Handling phishing false positives

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jan 25 20:23:05 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Have you reloaded (ie SIGHUP) MailScanner or restarted it after making
changes to its configuration?
The ruleset code is exactly the same as that used for all the other
options, there is little reason to believe it doesn't work.

Has anyone else had any problems with this?

Thomas R McBride wrote:

>Regarding phishing ruleset  in  4.37.7
>I have been unable to get that ruleset to work
>either setting the default setting to yes or no
>when setting the default to no it still flags phishing attempts
>when setting the default to yes the domains set to no still are flagged.
>
>When changing the MailScanner.conf setting to not use ruleset
>works as expected --.
>
>
>
>>Just over two weeks ago, we installed MS 4.37.7 and kept its new:
>>    Find Phishing Fraud = yes
>>
>>We have had very little adverse criticism in that time, but
>>there has been
>>one user asking about a false positive.
>>
>>I realise the setting can be a ruleset.  So theoretically, we
>>could begin
>>to use that as users request that certain external sources
>>be, in effect,
>>whitelisted.  But I see this as a potentially long piece of string (we
>>have a local user population of around 20,000) and some
>>maintenance issues
>>lurking.  (How long do we keep things?  Who authorises what should be
>>cleaned out (and when)?)
>>
>>I recall that in the early days of MS's anti-phishing, there was a
>>significant number of false positives, and that Julian
>>tightened up the
>>code to try to address many of these.  (I recall that Quentin
>>Campbell of
>>Newcastle provided input to this reduction process.)
>>Nevertheless (and
>>probably inevitably) the possibility of f.p.s will remain.
>>
>>1. Julian: Do you have a mechanism by wish we can report
>>"false positives"
>>    to you so that you can see whether there are other
>>criteria that might
>>    help you reduce even further the f.p. rate in MS?
>>
>>2. Most of us probably regard the technique of:
>>       <a href="http://ugly.thing"> http://looks.nice.com/ </a>
>>    as undesirable (even if technically legal) and that there
>>is a case
>>    for trying to educate the creators of many (most?) such things.
>>
>>    Might is be worth us (the MailScanner community)
>>developing a simple,
>>    short paragraph or text that we can hand to our local
>>users who receive
>>    such things, for them to pass on to the external people
>>who sent them?
>>    (This could be included in ths MS distribution.)
>>
>>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list