Internet Explorer URL Display problem
David Lee
t.d.lee at DURHAM.AC.UK
Tue Dec 16 16:07:19 GMT 2003
On Tue, 16 Dec 2003, Ken Anderson wrote:
> Sure enough, these messages are triggering HTTP_ESCAPED_HOST too.
>
> Dec 16 07:19:01 63.162.241.10 MailScanner[1740]: Message hBGFJ4OG011177
> from 218.188.47.114 (verification at paypal.com) to something.com is spam,
> SpamAssassin (score=56.47, required 4, BAYES_30 -0.90, CLICK_BELOW 0.10,
> HTML_IMAGE_ONLY_06 1.44, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10,
> HTTP_ESCAPED_HOST 1.51, IE6_URL_VULN 50.00, MIME_HTML_ONLY 0.32,
> USERPASS 3.81)
I see that, too. Our two main inbound campus mailrelays each handle about
50,000 messages per day. We use SA 2.61 as close as possible to "as
delivered".
A "grep" on the log files for the last week shows 15 occurences of a local
"IE_VULN" (our pattern, following Julian's suggestion a few days ago, is
"/%01.*@/") and each instance also shows SA's own "HTTP_ESCAPED_HOST".
Whilst the sample size (15) is small, it suggests that SA2.61's own
configuration is along the right lines for catching this, although their
score (1.51) might want to be higher.
--
: David Lee I.T. Service :
: Systems Programmer Computer Centre :
: University of Durham :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham :
: Phone: +44 191 334 2752 U.K. :
More information about the MailScanner
mailing list