Fraud and Phishing detection

Kevin Miller Kevin_Miller at ci.juneau.ak.us
Wed Aug 16 20:19:10 IST 2006


DAve wrote:
> I did, and I have. But I only get to see the page *after* MS has
> disabled it.
> 
> I have clients asking "Why?". They are not complaining, just asking
> how it works, they are glad we are disabling suspected fraud. I would
> like to say what the system is looking for and provide a valid
> example in before and after states.
> 
> The bottom line, it works, and works well. But I don't want to sound
> stooopid because I can't explain how it works with confidence.

In a nutshell it compares the purported URL with the underlying one, and
if they're different it flags it unless it's in the whitelist.  For
example www.mybank.com might point to w3.someservername.mybank.com;
whatever they're using for a web or mail server.  It's probably
legitimate.  Or it may be a message that says www.ebay.com but points to
some server in Russia.  MS will ding that one.

I'm sure it's much more complicated than that under the hood, but if
you're trying to explain it to non-technical users, that's the gist of
it.  I think...

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500


More information about the MailScanner mailing list