4.35.11: more phony phishing phailures

Julian Field mailscanner at ecs.soton.ac.uk
Sat Nov 6 16:08:29 GMT 2004 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Try the attached patch. It improves the URL chopping quite a bit. It's
only a 1-line change.

Jeff A. Earickson wrote:

> Julian,
>
> I just got a complaint about this from in-house, where the guy
> has our URL in his signature, and he uses HTML email.  The snippet
> from his HTML email is:
>
> </font><font size=3><a href="http://www.colby.edu/"
> eudora="autourl"><font color="red"><b>MailScanner has detected a
> possible fraud attempt from "www.colby.edu" claiming to be</b></font>
> www.colby.edu<br><br>
>
> The syslog from MailScanner said:
>
> MailScanner[7142]: Found phishing fraud from www.colby.edu claiming to
> be www.colby.edu<br><br>
>
> I suppose the extra br's at the end fouled things up.  Or maybe the
> trailing slash at the end of the URL?  Something to contemplate.
> Boy, I sure wish the msg id could appear in syslog output...
>
> BTW, I just discovered that the default for Eudora 6.1 is both plain and
> html text (they call it "styled text").  Yuck, I hate HTML email.
>
> Jeff Earickson
> Colby College
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

    [ Part 2: "Attached Text" ]

--- Message.pm.old      2004-11-03 17:37:11.000000000 +0000
+++ Message.pm  2004-11-06 16:05:53.000000000 +0000
@@ -4057,7 +4057,7 @@
       $linkurl =~ s/\s+//; # Remove any whitespace
       $linkurl =~ s/^(https?|ftp):\/\///;
       $linkurl =~ s/\/.*$//; # Only compare up to the first '/' (hostname only)
-      $linkurl =~ s/\<\/?(br|p)\>$//i; # Remove trailing <br> and <p> tags
+      $linkurl =~ s/(\<\/?(br|p)\>)*$//ig; # Remove trailing <br> and <p> tags
       $linkurl =~ s/\/$//; # LinkURL is trimmed -- note
       #print STDERR "2SquashedText = \"$squashedtext\"\n";
       #print STDERR "2LinkURL      = \"$linkurl\"\n";

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list