Fraud and Phishing detection

DAve dave.list at
Wed Aug 16 20:41:06 IST 2006

Kevin Miller wrote:
> DAve wrote:
>> I did, and I have. But I only get to see the page *after* MS has
>> disabled it.
>> I have clients asking "Why?". They are not complaining, just asking
>> how it works, they are glad we are disabling suspected fraud. I would
>> like to say what the system is looking for and provide a valid
>> example in before and after states.
>> The bottom line, it works, and works well. But I don't want to sound
>> stooopid because I can't explain how it works with confidence.
> In a nutshell it compares the purported URL with the underlying one, and
> if they're different it flags it unless it's in the whitelist.  For
> example might point to;
> whatever they're using for a web or mail server.  It's probably
> legitimate.  Or it may be a message that says but points to
> some server in Russia.  MS will ding that one.
> I'm sure it's much more complicated than that under the hood, but if
> you're trying to explain it to non-technical users, that's the gist of
> it.  I think...
> ...Kevin

That is what I'm been saying after a "very quick" glance at the source 
code and a few messages.

I have one example I use, I wasn't sure if MS would catch more that this.

<a href=""></a>



Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for

Maybe they forgot who made that choice possible.

More information about the MailScanner mailing list