Phishing Filter Question

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Mon Mar 19 15:46:40 CET 2007


am.lists a écrit :
> On 3/19/07, Denis Beauchemin <Denis.Beauchemin at usherbrooke.ca> wrote:
>> am.lists a écrit :
>> > I'm currently fighting some usability issues surrounding the phishing
>> > filter.
>> >
>> > The perfect example to share is Google Alert emails. Every link is
>> > flagged due to the way that the email is crafted. (sample screenshot:
>> > http://tinyurl.com/27yx68 )
>> >
>> > In reading the phishing filter file, I understand how it works, but
>> > the way Google Alerts works, in particular, and combined with phishihg
>> > sites being updated daily, this seems to be quite a problem. How can I
>> > be more forgiving without losing the functionality? If I turn off
>> > highlighting, how can users still know that there is suspicious (but
>> > maybe harmless) content?
>> >
>> > I don't want to lose the functionality and security that this
>> > provides, but I don't want to alienate my users by continually
>> > alerting them to things that are actually harmless.
>> >
>> > My settings are:
>> >
>> > Find Phishing Fraud = yes
>> > Also Find Numeric Phishing = yes
>> > Use Stricter Phishing Net = yes
>> > Highlight Phishing Fraud = yes
>> > Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf
>> >
>> > This is MailScanner 4.58.9
>> >
>> >
>> > Best,
>> >
>> > Angelo
>> Angelo,
>>
>> Why don't you use a ruleset for "Find Phishing Fraud" with the value
>> "false" for "googlealerts-noreply at google.com" (assuming this is the
>> envelope sender) and true as default?
>>
>> Denis
>>
>
> Will that actually work?  My understanding, after reading the comments
> in the config files said that if you have a message like so:
>
> from: bob at nowhere.org
>
> come see [a href=redir.nowhere.org/someplace]nowhere.org at your
> earliest convenience[/a]
>
> That would flag as redir.nowhere.org claiming to be nowhwere.org at
> your earliest convenience.
>
> And what goes in the whiltelist file is "redir.nowhere.org"
>
> But you're saying to add bob at nowhwere.org?
>
> I can't in the docs where that's supported as a fix.
>
> Angelo
Angelo,

I am not suggesting using the phishing whitelist but rather not using 
the phishing net at all for some senders.  I haven't tried it but I'm 
pretty sure you can do something like this:
Find Phishing Fraud = %rules-dir%/phishing.rules

where phishing.rules contains:
From:    googlealerts-noreply at google.com   no
FromOrTo:   default   yes

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070319/a1aece4b/smime.bin


More information about the MailScanner mailing list