Safe "Phishing"

[giga328 <gi...@hotmail.com>]

I have question about one list from MailScanner. It is list at
http://www.mailscanner.info/phishing.safe.sites.conf.master and here is part
of text from it:
This file contains the list of all the sites which can be safely ignored in
the "phishing fraud" checks.

My question can it be used by SpamAssassin and is there a point of using it
by some rule which can produce negative score?

I can presume that other list from MailScanner at
http://www.mailscanner.eu/phishing.bad.sites.conf.master is not suggested to
be used because URI RBLs are better.

I just started using SpamAssassin and I would like to see some opinion from
more expirienced users.

Regards,
Giga

-- 
View this message in context: http://www.nabble.com/Safe-%22Phishing%22-tp15224704p15224704.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Safe "Phishing"

[Joseph Brennan <br...@columbia.edu>]

--On Friday, February 1, 2008 3:10 -0800 giga328 <gi...@hotmail.com> 
wrote:

> I have question about one list from MailScanner. It is list at
> http://www.mailscanner.info/phishing.safe.sites.conf.master and here is
> part of text from it:
> This file contains the list of all the sites which can be safely ignored
> in the "phishing fraud" checks.
>
> My question can it be used by SpamAssassin and is there a point of using
> it by some rule which can produce negative score?


And there's ad.doubleclick.net right near the top!  So it certainly
includes web sites attempting to collect information about you
without asking, which one might call lower-grade phishing.  The
purpose is probably just to avoid repeatedly running an expensive
routine on some common hostnames that are already judged to be not
outright identity-theft frauds.

I don't see any reason at all to score lower for seeing these.

Joseph Brennan
Columbia University Information Technology

Re: Safe "Phishing"

[Anthony Peacock <a....@chime.ucl.ac.uk>]

Hi Giga,

giga328 wrote:
> Thank you Jeff and Anthony.
> If I'm right, there is big possibility for SpamAssassin to mark as spam some
> email from for example doubleclick or other companies if there is
> personalized URL in it because it can look like spam or even like phishing.
> If I'm protecting only my mailbox it will be ok to block such emils, but if
> I'm making ISP email system for hosting email for several companies, there
> are chances that one of these companies will be customer of doubleclick so
> emails from doubleclick for them are ham.
> I know that doubleclick is involved in online WEB advertising (cookie
> tracking, pop-ups, maybe even some executable malware) but I never heard
> that they are involved in email spam. So it is not ok to block email by
> default if they are sending it to their customers.
> So maybe is more reasonable to talk about next questions:
> What is your opinion about possibilities for SpamAssassin to block email
> from doubleclick (and other companies) which are regular email sent to their
> customers?
> Is it possible to use safe list from MailScanner with SpamAssassin to make
> some rules which will score for example -2?
> I still do not have information about how and why there is safe list in
> MailScanner, but there is something telling me it is there because some
> software will judge wrong :) We have live users on this list who judged
> wrong!

I don't really follow your logic, but I think it is faulty.

I don't think you should pursue this train of thought any further.  I 
don't think you understand what those MailScanner lists are for, why 
certain sites are listed in them, and how they are used.  You seem to be 
basing all of your assumptions purely on the names of the files.

The lists in MailScanner that you are referring to have absolutely 
nothing to do with SPAM detection.  They are used in MailScanner's 
Phishing detection feature.  I really do not think they can be used 
without modification in SA as SPAM signs.

-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"A CAT scan should take less time than a PET scan.  For a CAT scan,
  they're only looking for one thing, whereas a PET scan could result in
  a lot of things."    - Carl Princi, 2002/07/19

Re: Safe "Phishing"

[Jeff Chan <je...@surbl.org>]

Quoting giga328 <gi...@hotmail.com>:

>
> Thank you Jeff and Anthony.
> If I'm right, there is big possibility for SpamAssassin to mark as spam some
> email from for example doubleclick or other companies if there is
> personalized URL in it because it can look like spam or even like phishing.
> If I'm protecting only my mailbox it will be ok to block such emils, but if
> I'm making ISP email system for hosting email for several companies, there
> are chances that one of these companies will be customer of doubleclick so
> emails from doubleclick for them are ham.
> I know that doubleclick is involved in online WEB advertising (cookie
> tracking, pop-ups, maybe even some executable malware) but I never heard
> that they are involved in email spam. So it is not ok to block email by
> default if they are sending it to their customers.
> So maybe is more reasonable to talk about next questions:
> What is your opinion about possibilities for SpamAssassin to block email
> from doubleclick (and other companies) which are regular email sent to their
> customers?
> Is it possible to use safe list from MailScanner with SpamAssassin to make
> some rules which will score for example -2?
> I still do not have information about how and why there is safe list in
> MailScanner, but there is something telling me it is there because some
> software will judge wrong :) We have live users on this list who judged
> wrong!
>
> Regards,
> Giga

Your assumptions and conclusions are incorrect.  I recommend using the  
files as MailScanner recommends.

Jeff C.

Re: Safe "Phishing"

[giga328 <gi...@hotmail.com>]

Thank you Jeff and Anthony.
If I'm right, there is big possibility for SpamAssassin to mark as spam some
email from for example doubleclick or other companies if there is
personalized URL in it because it can look like spam or even like phishing.
If I'm protecting only my mailbox it will be ok to block such emils, but if
I'm making ISP email system for hosting email for several companies, there
are chances that one of these companies will be customer of doubleclick so
emails from doubleclick for them are ham.
I know that doubleclick is involved in online WEB advertising (cookie
tracking, pop-ups, maybe even some executable malware) but I never heard
that they are involved in email spam. So it is not ok to block email by
default if they are sending it to their customers.
So maybe is more reasonable to talk about next questions:
What is your opinion about possibilities for SpamAssassin to block email
from doubleclick (and other companies) which are regular email sent to their
customers?
Is it possible to use safe list from MailScanner with SpamAssassin to make
some rules which will score for example -2?
I still do not have information about how and why there is safe list in
MailScanner, but there is something telling me it is there because some
software will judge wrong :) We have live users on this list who judged
wrong!

Regards,
Giga

-- 
View this message in context: http://www.nabble.com/Safe-%22Phishing%22-tp15224704p15241737.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Safe "Phishing"

[Anthony Peacock <a....@chime.ucl.ac.uk>]

Hi Mous,

mouss wrote:
> giga328 wrote:
>> Hi Anthony,
>>
>> I will ask people from MailScanner also but for my email system is not
>> possible to use MailScanner directly so I'm using spamd. My question is
>> about lowering chances for false positives by having safe list from
>> MailScanner. But since I just started to use SpamAssassing I'm asking 
>> is it
>> wise and needed.
>>   
> 
> ems, doubclick, salesforce, affistats, ... in a whitelist? looks like 
> 1st April came sooner this year.

But it is _NOT_ a spam whitelist.  This has been my point all along, you 
can't take a list intended for one purpose and use it in a another 
situation without understanding what it is there for.

These are white and blacklists for the Phising detection feature, they 
have nothing to do with spam detection.

-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"I'm in shape. - ROUND is a shape"

Re: Safe "Phishing"

[Jeff Chan <je...@surbl.org>]

Quoting mouss <mo...@netoyen.net>:

> giga328 wrote:
>> Hi Anthony,
>>
>> I will ask people from MailScanner also but for my email system is not
>> possible to use MailScanner directly so I'm using spamd. My question is
>> about lowering chances for false positives by having safe list from
>> MailScanner. But since I just started to use SpamAssassing I'm asking is it
>> wise and needed.
>>
>
> ems, doubclick, salesforce, affistats, ... in a whitelist? looks like
> 1st April came sooner this year.

All it means is that they're probably not phishers.  Given that  
they're nominally real companies not in Russia, Ukraine or Romania, if  
they were phishing they'd probably be sent to prison pretty quickly.

Jeff C.

Re: Safe "Phishing"

[mouss <mo...@netoyen.net>]

giga328 wrote:
> Hi Anthony,
>
> I will ask people from MailScanner also but for my email system is not
> possible to use MailScanner directly so I'm using spamd. My question is
> about lowering chances for false positives by having safe list from
> MailScanner. But since I just started to use SpamAssassing I'm asking is it
> wise and needed.
>   

ems, doubclick, salesforce, affistats, ... in a whitelist? looks like 
1st April came sooner this year.

Re: Safe "Phishing"

[Anthony Peacock <a....@chime.ucl.ac.uk>]

Hi,

I wasn't suggesting that you used MailScanner, I was merely pointing out 
that these lists are very specifically created and used for a feature of 
MailScanner that has nothing to do with SPAM detection, ie the Phising 
Detection feature.

Because of that you will need to know what the inclusion crieria for 
each list is, and what the siginificance of inclusion is.  In order to 
find that out you are best to ask the person who created them, ie the 
author of MailScanner.

giga328 wrote:
> Hi Anthony,
> 
> I will ask people from MailScanner also but for my email system is not
> possible to use MailScanner directly so I'm using spamd. My question is
> about lowering chances for false positives by having safe list from
> MailScanner. But since I just started to use SpamAssassing I'm asking is it
> wise and needed.
> 
> Regards,
> Giga
> 
> 
> Anthony Peacock wrote:
>> Hi,
>>
>> Those files are effectively, white and black lists for the Phising 
>> detection feature of MailScanner.  I have never heard of anyone using 
>> them to add scores to spam.
>>
>> Your best best, might be to ask on the MailScanner mailing list, where 
>> the author regularly contributes.  He would be able to give you a 
>> clearer idea about this.
>>
>> -- 
>> Anthony Peacock
>> CHIME, Royal Free & University College Medical School
>> WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
>> "A CAT scan should take less time than a PET scan.  For a CAT scan,
>>   they're only looking for one thing, whereas a PET scan could result in
>>   a lot of things."    - Carl Princi, 2002/07/19
>>
>>
> 


-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"A CAT scan should take less time than a PET scan.  For a CAT scan,
  they're only looking for one thing, whereas a PET scan could result in
  a lot of things."    - Carl Princi, 2002/07/19

Re: Safe "Phishing"

[giga328 <gi...@hotmail.com>]

Hi Anthony,

I will ask people from MailScanner also but for my email system is not
possible to use MailScanner directly so I'm using spamd. My question is
about lowering chances for false positives by having safe list from
MailScanner. But since I just started to use SpamAssassing I'm asking is it
wise and needed.

Regards,
Giga


Anthony Peacock wrote:
> 
> Hi,
> 
> Those files are effectively, white and black lists for the Phising 
> detection feature of MailScanner.  I have never heard of anyone using 
> them to add scores to spam.
> 
> Your best best, might be to ask on the MailScanner mailing list, where 
> the author regularly contributes.  He would be able to give you a 
> clearer idea about this.
> 
> -- 
> Anthony Peacock
> CHIME, Royal Free & University College Medical School
> WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
> "A CAT scan should take less time than a PET scan.  For a CAT scan,
>   they're only looking for one thing, whereas a PET scan could result in
>   a lot of things."    - Carl Princi, 2002/07/19
> 
> 

-- 
View this message in context: http://www.nabble.com/Safe-%22Phishing%22-tp15224704p15225208.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Safe "Phishing"

[Anthony Peacock <a....@chime.ucl.ac.uk>]

Hi,

Those files are effectively, white and black lists for the Phising 
detection feature of MailScanner.  I have never heard of anyone using 
them to add scores to spam.

Your best best, might be to ask on the MailScanner mailing list, where 
the author regularly contributes.  He would be able to give you a 
clearer idea about this.

giga328 wrote:
> I have question about one list from MailScanner. It is list at
> http://www.mailscanner.info/phishing.safe.sites.conf.master and here is part
> of text from it:
> This file contains the list of all the sites which can be safely ignored in
> the "phishing fraud" checks.
> 
> My question can it be used by SpamAssassin and is there a point of using it
> by some rule which can produce negative score?
> 
> I can presume that other list from MailScanner at
> http://www.mailscanner.eu/phishing.bad.sites.conf.master is not suggested to
> be used because URI RBLs are better.
> 
> I just started using SpamAssassin and I would like to see some opinion from
> more expirienced users.
> 
> Regards,
> Giga
> 


-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"A CAT scan should take less time than a PET scan.  For a CAT scan,
  they're only looking for one thing, whereas a PET scan could result in
  a lot of things."    - Carl Princi, 2002/07/19