Phishing Filter Question

am.lists am.lists at gmail.com
Mon Mar 19 16:41:05 CET 2007


On 3/19/07, Denis Beauchemin <Denis.Beauchemin at usherbrooke.ca> wrote:
> am.lists a écrit :
> > On 3/19/07, Denis Beauchemin <Denis.Beauchemin at usherbrooke.ca> wrote:
> >> am.lists a écrit :
> >> > I'm currently fighting some usability issues surrounding the phishing
> >> > filter.
> >> >
> >> > The perfect example to share is Google Alert emails. Every link is
> >> > flagged due to the way that the email is crafted. (sample screenshot:
> >> > http://tinyurl.com/27yx68 )
> >> >
> >> > In reading the phishing filter file, I understand how it works, but
> >> > the way Google Alerts works, in particular, and combined with phishihg
> >> > sites being updated daily, this seems to be quite a problem. How can I
> >> > be more forgiving without losing the functionality? If I turn off
> >> > highlighting, how can users still know that there is suspicious (but
> >> > maybe harmless) content?
> >> >
> >> > I don't want to lose the functionality and security that this
> >> > provides, but I don't want to alienate my users by continually
> >> > alerting them to things that are actually harmless.
> >> >
> >> > My settings are:
> >> >
> >> > Find Phishing Fraud = yes
> >> > Also Find Numeric Phishing = yes
> >> > Use Stricter Phishing Net = yes
> >> > Highlight Phishing Fraud = yes
> >> > Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf
> >> >
> >> > This is MailScanner 4.58.9
> >> >
> >> >
> >> > Best,
> >> >
> >> > Angelo
> >> Angelo,
> >>
> >> Why don't you use a ruleset for "Find Phishing Fraud" with the value
> >> "false" for "googlealerts-noreply at google.com" (assuming this is the
> >> envelope sender) and true as default?
> >>
> >> Denis
> >>
> >
> > Will that actually work?  My understanding, after reading the comments
> > in the config files said that if you have a message like so:
> >
> > from: bob at nowhere.org
> >
> > come see [a href=redir.nowhere.org/someplace]nowhere.org at your
> > earliest convenience[/a]
> >
> > That would flag as redir.nowhere.org claiming to be nowhwere.org at
> > your earliest convenience.
> >
> > And what goes in the whiltelist file is "redir.nowhere.org"
> >
> > But you're saying to add bob at nowhwere.org?
> >
> > I can't in the docs where that's supported as a fix.
> >
> > Angelo
> Angelo,
>
> I am not suggesting using the phishing whitelist but rather not using
> the phishing net at all for some senders.  I haven't tried it but I'm
> pretty sure you can do something like this:
> Find Phishing Fraud = %rules-dir%/phishing.rules
>
> where phishing.rules contains:
> From:    googlealerts-noreply at google.com   no
> FromOrTo:   default   yes
>
> Denis

Ahhhh.. I see.

Well... I'm not sure I want to manage that, as I can see how this
could go nuts keeping up with those entries.

I've turned off the highlighting for now.

Thanks aagain,

Angelo


More information about the MailScanner mailing list