Mailto's being marked as detected fraud attempt.

Julian Field mailscanner at ecs.soton.ac.uk
Wed Nov 17 11:48:48 GMT 2004


It's not clobbering email addresses, which I thought was your original
problem.
It's getting upset by URLs that have already been disabled by something
else, or were broken to start with.

Your first example is a link to
file::www.ncl.ac.uk/research/institutes/ionslides which is clearly never
going to work.
Your second example is a link to mailto:kxxx at domain.com
<mailto:kxxx at domain.com> which is also not going to work as the text
shouldn't be part of the link.
And there is also a "blocked::http://xxxx.yyyy.zzzz" link in there, which
has been broken by something else before it got to MailScanner (hence the
"blocked::" on the front).

In all cases, what would you like MailScanner to have done? It's complaining
about broken links :-(

On 17/11/04 11:39 am, "Quentin Campbell" <Q.G.Campbell at NEWCASTLE.AC.UK>
wrote:

> Julian
>
> Then I am perplexed by what is going on. The Message.pm file I am using
> is 166111 bytes and is time stamped "Nov 15 14:18" - not 14:16 as in
> Martin's case).
>
> It is clobbering signature lines still. I provide two examples:
>
> ----- Example #1
> [This user usually sends mail in RTF format. He of course does not have
> the problem below when he sends mail in text format.]
>
> Here are copies of my signature with and without the http bit added.
>
> __________________________________________________________
> Professor Colin Ingram
> Director, Institute of Neuroscience
> (http://www.ncl.ac.uk/research/institutes/ionslides)
> Director of Research, School of Neurology, Neurobiology & Psychiatry
>
> University of Newcastle
> Leazes Wing, Royal Victoria Infirmary
> Newcastle-upon-Tyne NE1 4LP, U.K.
> Tel (Office): (+44) 191 282 5678
> Tel (Secretary): (+44) 191 282 4336.
> Tel (Laboratory): (+44) 191 222 5528
> Fax: (+44) 191 222 6162
> E-mail: c.d.ingram at ncl.ac.uk
>
> __________________________________________________________
> Professor Colin Ingram
> Director, Institute of Neuroscience (
>
> WARNING FROM ISS: The Newcastle MailScanner has detected a possible
> fraud attempt from "file:" claiming to be
> www.ncl.ac.uk/research/institutes/ionslides)
> Director of Research, School of Neurology, Neurobiology & Psychiatry
>
> University of Newcastle
> Leazes Wing, Royal Victoria Infirmary
> Newcastle-upon-Tyne NE1 4LP, U.K.
> Tel (Office): (+44) 191 282 5678
> Tel (Secretary): (+44) 191 282 4336.
> Tel (Laboratory): (+44) 191 222 5528
> Fax: (+44) 191 222 6162
> E-mail: c.d.ingram at ncl.ac.uk
>
> ----- Example #1 end
>
> ----- Example #2
> [this one has been edited in a consistent way to hide real domain and
> other info.]
>
> From: Kevin XXX <kxxx at domain.com>
> Date: Tue, 16 Nov 2004 09:49:04 -0000
> To: <user at Newcastle>
> Subject: Gladstone
>
> Hi there
> Just tried your number but I'm guessing your busy. Give me a call when
> you're free [deleted]
> Speak to you soon
> Kevin
>
> Kevin XXX
> Project Manager
> [deleted]
>
> T: +44 (0)[deleted] (DDI)
> F: +44 (0)[deleted]
> M: +44 (0)[deleted]
> E:
>
> WARNING FROM ISS: The Newcastle MailScanner has detected a possible
> fraud attempt from "blocked::
>
> WARNING FROM ISS: The Newcastle MailScanner has detected a possible
> fraud attempt from "kxxx at domain.com" claiming to be
> mailto:kxxx at domain.com <mailto:kxxx at domain.com>
> " claiming to be kxxx at domain.com <blocked::
>
> WARNING FROM ISS: The Newcastle MailScanner has detected a possible
> fraud attempt from "kxxx at domain.com>" claiming to be
> mailto:kxxx at domain.com>
> <mailto:kxxx at domain.com>>
> W:
>
> WARNING FROM ISS: The Newcastle MailScanner has detected a possible
> fraud attempt from "blocked::http:" claiming to be www.domain.com
> <blocked::http://www.domain.com/>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this email in error please notify the
> system manager. Please note that any views or opinions presented in this
> email are solely those of the author and do not necessarily represent
> those of the company. Finally, the recipient should check this email and
> any attachments for the presence of viruses. The company accepts no
> liability for any damage caused by any virus transmitted by this email.
> This email has been scanned with Trend AV.
>
> ----- Example #2 end
>
>
> Quentin
> ---
> PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>                            University of Newcastle,
>                            Newcastle upon Tyne,
> FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
> ------------------------------------------------------------------------
> "Any opinion expressed above is mine. The University can get its own."
>
>> -----Original Message-----
>> From: MailScanner mailing list
>> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>> Sent: 17 November 2004 09:10
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: Mailto's being marked as detected fraud attempt.
>>
>> I have just tested it with
>> Contact <a href="mailto:steve.swaney at fsl.com">Steve.Swaney at fsl.com</a>
>> and it allowed it through just fine.
>>
>>
>> On 17/11/04 8:04 am, "Quentin Campbell" <Q.G.Campbell at NEWCASTLE.AC.UK>
>> wrote:
>>
>>> Julian
>>>
>>> I installed your latest version of Message.pm (the 166111
>> byte version)
>>> early on Tuesday.
>>>
>>> Prior to that the log entries read:
>>>
>>>   "Found phishing fraud from mailto:bloggs at domain.com claiming to be
>>> bloggs at domain.com"
>>>
>>> After installing this fixed version (166111 bytes) the logs
>> entries now
>>> read:
>>>
>>>   "Found phishing fraud from dave at somewhere.com claiming to be
>>> mailto:dave at somewhere.com"
>>>
>>> The latter looks more believable but still not desirable in
>> my view. Why
>>> can't this special case be ignored?
>>>
>>> I made the change to the 166111 byte version at about 08:20
>> on Tuesday.
>>> Later that day complaints started coming in about messages being
>>> "mangled". The complainants usually did not include the affected
>>> message. When they did it was clear the "mangled" messages
>> had actually
>>> been received on the Monday, _before_ I installed your latest
>>> Message.pm.
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list