False Positives with Email Signatures

Steve Freegard steve.freegard at fsl.com
Fri Jan 18 01:00:10 GMT 2008

Johnny Stork wrote:
> We are running defenderMX on a clients gateway machine and there are 
> many emails getting tagged as "FRAUD" which I believe are the various 
> phishing checks. What is triggering these are messages where people have 
> a web site url in their signatures. What is the best way to eliminate 
> these false positives without reducing the number/level of checks?
> We tried adding the senders email address in 'Is Definately Not Spam" 
> but this didnt make any difference.

Spam != Phishing, so whitelisting will not have any effect.  The 
whitelist is for Spam checks only.

> We are also asking this of FSL but thought there may be other MX users 
> here not to mention some "general" suggestions from the MS community

The issue and solution are simple, make sure that the domain inside the 
href matches the link text if you are repeating the domain text e.g.

<a href="http://www.fsl.com">www.fsl.com</a>

In your case, there is a typo in the href which reads 'wwww' instead of 
'www', so the text is different and therefore the phishing checks catch 
this and the subject gets tagged with [Fraud?].

Fix the typo and all will be well.

Kind regards,

More information about the MailScanner mailing list