On Thu, 27 Jan 2005, Trog wrote:
On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote:
> We do a lot of on-line commerce. We cannot tolerate many false positives.
> Phishing exploits are something we deal with through education first, and
> filtering second. As phishers become more sophisticated and numerous false
> positives will rise leaving education as the final solution. I prefer
> using my filter processes for defending against them as I can fine tune
> them to our needs.
And how many Phishing false positives have you had exactly?
All of them. ;)
Seriously, that's an unfair question. When you're deleting people's email, how would they find out if there was a false positive? With spam, it's standard practice to review a junk-mail box for false positives regularly. Viruses are treated differently; nobody checks them for false positives. That's why this is such a concern for those of us who depend on email.
We quarantine viruses, not delete. Perhaps you should do the same. A false positive on a virus is also likely, but you dont seem to have any problems deleting those.
We run NAV corp on about 200 workstations. Just this morning i got a notification that 98 of them were infected with w32.randex.gen. Being that these machines dont have web access (only email) and this virus is not spread through email, i found this highly unlikely. Turns out symantecs newly distributed virus database had a false positive in it. Long story short, false positives do happen and you probably shouldnt be deleting ANY mail without first looking over it. I realize that for large setups this is not likely possible due to lack of time and a large number of messages to review, but how can you honestly say you're worried about false positives in phishing attempts but delete virus infected mail without even looking back?
-Jim _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
