Internet Explorer URL Display problem

Chris Yuzik chris at FRACTALWEB.COM
Wed Dec 10 19:35:55 GMT 2003

> Would I be right in thinking that the only way MailScanner could do
> anything about this type of thing in an e-mail would be to use MCP or
> would a simple addition to the SpamAssassin rules do the trick? I guess
> though if you modify the normal SA rules you might end up marking it as
> Spam whereas actually, you want to identify it as malicious.

I agree that this is a serious exploit indeed. It certainly wouldn't take
a genius to build a site the looks "just like a specific bank" or "exactly
like eBay" or "exactly like Visa" etc. I've known about the exploit for a
while, but wasn't aware of the "%01" variation.

Perhaps someone (Julian?) can create a patch that will restrict this
exploit much the same way as MailScanner currently finds malicious I-Frame
tags and such. I'm not certain if the regex would be as simple as
searching for "\.[a-zA-Z]{2,3,4}%01@" within the body of a message, or if
that would catch too much.

It's frustrating that Microsoft, who has more cash than most countries,
leaves its users open to things like this. It's interesting to note that
Mozilla (1.5) doesn't display this vulnerability.

Chris Yuzik

More information about the MailScanner mailing list