[sanesecurity] Re: FP: winnow.phish.pt.google.640144

• From: TR Shaw <tshaw@xxxxxxxx>
• To: sanesecurity@xxxxxxxxxxxxx
• Date: Sat, 23 Apr 2011 09:35:02 -0400

On Apr 23, 2011, at 7:35 AM, Steve Basford wrote:

> 
> 
> Derek Chee wrote:
>> Hi,
>> 
>> Just a heads up to all... I've been getting reports that there is a false 
>> positive with with winnow.phish.pt.google.640144.  According to the 
>> signature decoder, 
>> <http://sane.mxuptime.com/s.aspx?id=winnow.phish.pt.google.640144>, the URL 
>> will end up matching any Google Apps spreadsheet over SSL if I read the 
>> signature correctly.
>> 
>> I reported it to OITC for a re-check, but thought people might want to know.
>> 
>> 
>>  
> Hi Derek,
> 
> Thanks for the report.
> 
> I've whitelisted the signature on the mirrors with a .ign2 file... until Tom 
> can take a look.
> 
> Cheers,
> 
> Steve
> Sanesecurity
> 


Thanks Steve. Travelling for easter and just got access to a computer.  
Signature removed.

There is a lot of google abuse going on. I will try to fine tune my algos.

Tom
Happy Easter

• References:
  • [sanesecurity] FP: winnow.phish.pt.google.640144
    • From: Derek Chee
  • [sanesecurity] Re: FP: winnow.phish.pt.google.640144
    • From: Steve Basford

Other related posts:

• » [sanesecurity] FP: winnow.phish.pt.google.640144- Derek Chee
• » [sanesecurity] Re: FP: winnow.phish.pt.google.640144- Steve Basford
• » [sanesecurity] Re: FP: winnow.phish.pt.google.640144 - TR Shaw

1. Home
2. sanesecurity
3. Archive
4. 04-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---