Information Technology Systems and Services.
ITSS home

Phish Tag Exceptions

infotech.NEWS: September 2015

The tag [phish?] on an email subject line helps alert you of a possible scam. It is possible though tricky to preventing tagging.

Illustration: Fishing hooks: 1 with credit card; 1 with @ sign, and 1 with laptop attatched.

First, an update: The subject line phish tag was changed in late August from "[Warning: Phish?]" to "[phish?]", similar to the 2010 tag but retaining the question mark implemented several years ago.

A Tagged Message May or May Not be Phish

One goal of the Simple Phish Assessment Mechanism is to identify messages having characteristics of known credentials-harvesting phish, make an assessment, then tag the message if certain criteria are satisfied. The tag is meant to be advisory and not a definitive classification; that is, a tagged message may be phish, not that it is phish.

Preventing Phish Tags

Important legitimate messages can be tagged if the message satisfies the phish characteristics constraints ("Pay no attention to that man behind the curtain..." from The Wizard of Oz somehow seems appropriate here). Fortunately, because of Phish physics, for every action there is an equal and opposite reaction, we can prevent tagging.

Tagging Exceptions

There are hundreds of exceptions currently active, mostly for bulk mailers. Messages that are tagged often enough and are from the same entity, e.g., system, organization, list, and affect a sufficiently large population are the best candidates for exception.

Creating a tag exception is tricky, though, as one must address the needs of the exception while anticipating possible misuse or exploitation. For example, we cannot simply skip tagging of all d.umn.edu mail because of the compromised accounts that use UMD Google to send bulk phish.

Anyone who will be using a bulk mailer to send to a large group should assess the likelihood of their messages becoming tagged. This can be done by sending a test message to someone (not yourself) and see what happens. If the message contains phish-like constructs such as those mentioning passwords or upgrades, then it may or may not be tagged based on other factors.

The occasional tagged message from friends, a work group, or a vendor may be a nuisance but business processes should seek exemption. ITSS periodically examines detection and tagging statistics to make obvious filter adjustments.

Contact phish@d.umn.edu to request tagging exceptions.

For more general information about Phishing, consult the Wikipedia Phishing Entry.

Related Info

View past infotech.NEWS issues

Subscribe