Fraud and Phishing detection

Julian Field mailscanner at ecs.soton.ac.uk
Wed Aug 16 21:06:45 IST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



DAve wrote:
> Kevin Miller wrote:
>> DAve wrote:
>>> I did, and I have. But I only get to see the page *after* MS has
>>> disabled it.
>>>
>>> I have clients asking "Why?". They are not complaining, just asking
>>> how it works, they are glad we are disabling suspected fraud. I would
>>> like to say what the system is looking for and provide a valid
>>> example in before and after states.
>>>
>>> The bottom line, it works, and works well. But I don't want to sound
>>> stooopid because I can't explain how it works with confidence.
>>
>> In a nutshell it compares the purported URL with the underlying one, and
>> if they're different it flags it unless it's in the whitelist.  For
>> example www.mybank.com might point to w3.someservername.mybank.com;
>> whatever they're using for a web or mail server.  It's probably
>> legitimate.  Or it may be a message that says www.ebay.com but points to
>> some server in Russia.  MS will ding that one.
>>
>> I'm sure it's much more complicated than that under the hood, but if
>> you're trying to explain it to non-technical users, that's the gist of
>> it.  I think...
>>
>> ...Kevin
> 
> That is what I'm been saying after a "very quick" glance at the source 
> code and a few messages.
> 
> I have one example I use, I wasn't sure if MS would catch more that this.
> 
> <a href="http://thisurldontmatch.com">http://thisurlisdifferent.com</a>

See the newly updated www.phishingnet.info site.

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at MailScanner.biz

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk

-----BEGIN PGP SIGNATURE-----
Version: PGP SDK 3.7.0
Charset: ISO-8859-1

wj8DBQFE43rYEfZZRxQVtlQRAkPEAKCaLCvSYm8v9VpXYlZqGk8GxuZ/7ACdEyUe
K/PVwxNpigqE5sRW6HTtDzE=
=Rota
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list