Mailto's being marked as detected fraud attempt.

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Wed Nov 17 11:39:31 GMT 2004


Julian

Then I am perplexed by what is going on. The Message.pm file I am using
is 166111 bytes and is time stamped "Nov 15 14:18" - not 14:16 as in
Martin's case).

It is clobbering signature lines still. I provide two examples:

----- Example #1
[This user usually sends mail in RTF format. He of course does not have
the problem below when he sends mail in text format.]

Here are copies of my signature with and without the http bit added. 

__________________________________________________________ 
Professor Colin Ingram 
Director, Institute of Neuroscience
(http://www.ncl.ac.uk/research/institutes/ionslides) 
Director of Research, School of Neurology, Neurobiology & Psychiatry 

University of Newcastle 
Leazes Wing, Royal Victoria Infirmary 
Newcastle-upon-Tyne NE1 4LP, U.K. 
Tel (Office): (+44) 191 282 5678 
Tel (Secretary): (+44) 191 282 4336. 
Tel (Laboratory): (+44) 191 222 5528 
Fax: (+44) 191 222 6162 
E-mail: c.d.ingram at ncl.ac.uk 

__________________________________________________________ 
Professor Colin Ingram 
Director, Institute of Neuroscience (

WARNING FROM ISS: The Newcastle MailScanner has detected a possible
fraud attempt from "file:" claiming to be
www.ncl.ac.uk/research/institutes/ionslides) 
Director of Research, School of Neurology, Neurobiology & Psychiatry 

University of Newcastle 
Leazes Wing, Royal Victoria Infirmary 
Newcastle-upon-Tyne NE1 4LP, U.K. 
Tel (Office): (+44) 191 282 5678 
Tel (Secretary): (+44) 191 282 4336. 
Tel (Laboratory): (+44) 191 222 5528 
Fax: (+44) 191 222 6162 
E-mail: c.d.ingram at ncl.ac.uk 

----- Example #1 end

----- Example #2 
[this one has been edited in a consistent way to hide real domain and
other info.]

From: Kevin XXX <kxxx at domain.com>
Date: Tue, 16 Nov 2004 09:49:04 -0000
To: <user at Newcastle>
Subject: Gladstone

Hi there
Just tried your number but I'm guessing your busy. Give me a call when
you're free [deleted]
Speak to you soon
Kevin

Kevin XXX
Project Manager
[deleted]
 
T: +44 (0)[deleted] (DDI)
F: +44 (0)[deleted]
M: +44 (0)[deleted]
E: 

WARNING FROM ISS: The Newcastle MailScanner has detected a possible
fraud attempt from "blocked::

WARNING FROM ISS: The Newcastle MailScanner has detected a possible
fraud attempt from "kxxx at domain.com" claiming to be
mailto:kxxx at domain.com <mailto:kxxx at domain.com>
" claiming to be kxxx at domain.com <blocked::

WARNING FROM ISS: The Newcastle MailScanner has detected a possible
fraud attempt from "kxxx at domain.com>" claiming to be
mailto:kxxx at domain.com>
<mailto:kxxx at domain.com>>  
W: 

WARNING FROM ISS: The Newcastle MailScanner has detected a possible
fraud attempt from "blocked::http:" claiming to be www.domain.com
<blocked::http://www.domain.com/> 
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email and
any attachments for the presence of viruses. The company accepts no
liability for any damage caused by any virus transmitted by this email.
This email has been scanned with Trend AV.

----- Example #2 end


Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."  

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>Sent: 17 November 2004 09:10
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Mailto's being marked as detected fraud attempt.
>
>I have just tested it with
>Contact <a href="mailto:steve.swaney at fsl.com">Steve.Swaney at fsl.com</a>
>and it allowed it through just fine.
>
>
>On 17/11/04 8:04 am, "Quentin Campbell" <Q.G.Campbell at NEWCASTLE.AC.UK>
>wrote:
>
>> Julian
>>
>> I installed your latest version of Message.pm (the 166111 
>byte version)
>> early on Tuesday.
>>
>> Prior to that the log entries read:
>>
>>   "Found phishing fraud from mailto:bloggs at domain.com claiming to be
>> bloggs at domain.com"
>>
>> After installing this fixed version (166111 bytes) the logs 
>entries now
>> read:
>>
>>   "Found phishing fraud from dave at somewhere.com claiming to be
>> mailto:dave at somewhere.com"
>>
>> The latter looks more believable but still not desirable in 
>my view. Why
>> can't this special case be ignored?
>>
>> I made the change to the 166111 byte version at about 08:20 
>on Tuesday.
>> Later that day complaints started coming in about messages being
>> "mangled". The complainants usually did not include the affected
>> message. When they did it was clear the "mangled" messages 
>had actually
>> been received on the Monday, _before_ I installed your latest
>> Message.pm.
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list