Another phishing improvement patch

[Julian Field]

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Another addition to the phishing net. This patch is designed to be
applied to the Message.pm file as distributed with 4.35.11.

This should help improve the detection rate.

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2: "Attached Text" ]

--- Message.pm.old      Wed Nov  3 16:45:37 2004
+++ Message.pm  Sat Nov 13 16:00:35 2004
@@ -4043,21 +4043,27 @@
     $squashedtext =~ s#%([0-9a-f][0-9a-f])#chr(hex('0x' . $1))#gei; # Unescape
     $squashedtext =~ s/\s+//g; # Remove any whitespace
     $squashedtext =~ s/\\/\//g;
+    $squashedtext =~ s/(\<\/?[^>]*\>)*//ig; # Remove tags
+    #$squashedtext =~ s/^(\<\/?(br|p|ul)\>)*//ig; # Remove leading br, p, ul tags
     #print STDERR "Text = \"$text\"\n";
     #print STDERR "1SquashedText = \"$squashedtext\"\n";
     #print STDERR "1LinkURL      = \"$DisarmLinkURL\"\n";
     # If it looks like a link, remove any leading https:// or ftp://
-    if ($squashedtext =~ /^(w+|ftp)(\.|\%2e)/ ||
-        $squashedtext =~ s/^(ht+ps?|ft+p):\/\/(.*(\.|\%2e))/$2/) {
+    if ($squashedtext =~ /^(w+|ft+p|fpt+)([.,]|\%2e)/i ||
+        $squashedtext =~ /[.,](com|org|net|info|biz|ws)/i ||
+        $squashedtext =~ /^(ht+ps?|ft+p|fpt+)[:;]\/\/(.*(\.|\%2e))/i) {
+      $squashedtext =~  s/^(ht+ps?|ft+p|fpt+)[:;]\/\/(.*(\.|\%2e))/$2/i;
       $squashedtext =~ s/\/.*$//; # Only compare the hostnames
       $squashedtext =~ s/[,.]+$//; # Allow trailing dots and commas
       $linkurl = lc($DisarmLinkURL);
-      $linkurl =~ s/\%a0//g;
+      $linkurl =~ s/\%a0//ig;
       $linkurl =~ s#%([0-9a-f][0-9a-f])#chr(hex('0x' . $1))#gei; # Unescape
       $linkurl =~ s/\s+//; # Remove any whitespace
-      $linkurl =~ s/^(https?|ftp):\/\///;
+      #$linkurl =~ s/(\<\/?[^>]*\>)*//ig; # Remove tags
+      #$linkurl =~ s/^(\<\/?(br|p|ul)\>)*//ig; # Remove leading br, p, ul tags
+      $linkurl =~ s/^(https?|ftp):\/\///i;
       $linkurl =~ s/\/.*$//; # Only compare up to the first '/' (hostname only)
-      $linkurl =~ s/\<\/?(br|p)\>$//i; # Remove trailing <br> and <p> tags
+      $linkurl =~ s/(\<\/?(br|p|ul)\>)*$//ig; # Remove trailing br, p, ul tags
       $linkurl =~ s/\/$//; # LinkURL is trimmed -- note
       #print STDERR "2SquashedText = \"$squashedtext\"\n";
       #print STDERR "2LinkURL      = \"$linkurl\"\n";

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!