Handling phishing false positives

Thomas R McBride tom at cci.net
Tue Jan 25 23:52:15 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I do full restarts after changing rules
I also believed it must be something I was doing
wrong and have been trying various things for about
2 weeks with little luck.
The other rulesets I have all work fine.

Thanks


>
>
> Have you reloaded (ie SIGHUP) MailScanner or restarted it
> after making
> changes to its configuration?
> The ruleset code is exactly the same as that used for all the other
> options, there is little reason to believe it doesn't work.
>
> Has anyone else had any problems with this?
>
> Thomas R McBride wrote:
>
> >Regarding phishing ruleset  in  4.37.7
> >I have been unable to get that ruleset to work
> >either setting the default setting to yes or no
> >when setting the default to no it still flags phishing attempts
> >when setting the default to yes the domains set to no still
> are flagged.
> >
> >When changing the MailScanner.conf setting to not use ruleset
> >works as expected --.
> >
> >
> >
> >>Just over two weeks ago, we installed MS 4.37.7 and kept its new:
> >>    Find Phishing Fraud = yes
> >>
> >>We have had very little adverse criticism in that time, but
> >>there has been
> >>one user asking about a false positive.
> >>
> >>I realise the setting can be a ruleset.  So theoretically, we
> >>could begin
> >>to use that as users request that certain external sources
> >>be, in effect,
> >>whitelisted.  But I see this as a potentially long piece of
> string (we
> >>have a local user population of around 20,000) and some
> >>maintenance issues
> >>lurking.  (How long do we keep things?  Who authorises what
> should be
> >>cleaned out (and when)?)
> >>
> >>I recall that in the early days of MS's anti-phishing, there was a
> >>significant number of false positives, and that Julian
> >>tightened up the
> >>code to try to address many of these.  (I recall that Quentin
> >>Campbell of
> >>Newcastle provided input to this reduction process.)
> >>Nevertheless (and
> >>probably inevitably) the possibility of f.p.s will remain.
> >>
> >>1. Julian: Do you have a mechanism by wish we can report
> >>"false positives"
> >>    to you so that you can see whether there are other
> >>criteria that might
> >>    help you reduce even further the f.p. rate in MS?
> >>
> >>2. Most of us probably regard the technique of:
> >>       <a href="http://ugly.thing"> http://looks.nice.com/ </a>
> >>    as undesirable (even if technically legal) and that there
> >>is a case
> >>    for trying to educate the creators of many (most?) such things.
> >>
> >>    Might is be worth us (the MailScanner community)
> >>developing a simple,
> >>    short paragraph or text that we can hand to our local
> >>users who receive
> >>    such things, for them to pass on to the external people
> >>who sent them?
> >>    (This could be included in ths MS distribution.)
> >>
> >>
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list