Rules for Fraud detection

Rick Chadderdon mailscanner at yeticomputers.com
Tue Jan 8 15:13:29 GMT 2008


Ronny T. Lampert wrote:
> MailScanner marks mails a fraud if there is a link with differing text.
> But it does that regardless if the text looks like an URL or not, e.g.
>
> (a href=http://erp.system/action?123) [APPROVE] (/a)
>
> Wouldn't it be good to not do it for those kind of links where the
> text does not resemble an URL?

I can understand why you might think so, but I personally prefer that
people don't even use clickable links in email.  For my userbase, it's
best that anything that would be clickable that does not display its URL
gets broken out as "fraud" by the phishing net.

Otherwise, things like:

To collect your one million dollars click (a
href="http://www.infectyourmachine.com/")here!(/a)

would have a much greater chance of, well, infecting their machines. 
Perhaps it would be okay as an optional switch, but I certainly like it
the way it is.  I tell my clients not to open file attachments directly
from their email client and to never click on embedded links in email,
but...  they're users.  What more can I say?

Rick


More information about the MailScanner mailing list