Mailto's being marked as detected fraud attempt.

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Wed Nov 17 12:01:31 GMT 2004


Quentin

I'm getting alot of reports about 'broken links' reported by MS in emails.

I quick view of the original message does indeed show the link is broken
in some way, mainly people sending out HTML email as marketing brochures
- ligitimate companies we deal with not 'spam' - where thet send out a
brokeb link accidentally in footers or do a phishing style redirect to a
link the text claims not to point to.

However it is providing many false positives, and although I'm disabling
the anti-phishing feature for those domains with a ruleset, it is making
me contemplate turning off the feature altogether. Otherwise it merely
suffers from the cry wolf problem.


--
Martin Hepworth
Senior Systems Administrator
Solid State Logic Ltd
tel: +44 (0)1865 842300

Julian Field wrote:
> It's not clobbering email addresses, which I thought was your original
> problem.
> It's getting upset by URLs that have already been disabled by something
> else, or were broken to start with.
>
> Your first example is a link to
> file::www.ncl.ac.uk/research/institutes/ionslides which is clearly never
> going to work.
> Your second example is a link to mailto:kxxx at domain.com
> <mailto:kxxx at domain.com> which is also not going to work as the text
> shouldn't be part of the link.
> And there is also a "blocked::http://xxxx.yyyy.zzzz" link in there, which
> has been broken by something else before it got to MailScanner (hence the
> "blocked::" on the front).
>
> In all cases, what would you like MailScanner to have done? It's complaining
> about broken links :-(
>
> On 17/11/04 11:39 am, "Quentin Campbell" <Q.G.Campbell at NEWCASTLE.AC.UK>
> wrote:
>
>
>>Julian
>>
>>Then I am perplexed by what is going on. The Message.pm file I am using
>>is 166111 bytes and is time stamped "Nov 15 14:18" - not 14:16 as in
>>Martin's case).
>>
>>It is clobbering signature lines still. I provide two examples:
>>
>>----- Example #1
>>[This user usually sends mail in RTF format. He of course does not have
>>the problem below when he sends mail in text format.]
>>
>>Here are copies of my signature with and without the http bit added.
>>
>>__________________________________________________________
>>Professor Colin Ingram
>>Director, Institute of Neuroscience
>>(http://www.ncl.ac.uk/research/institutes/ionslides)
>>Director of Research, School of Neurology, Neurobiology & Psychiatry
>>
>>University of Newcastle
>>Leazes Wing, Royal Victoria Infirmary
>>Newcastle-upon-Tyne NE1 4LP, U.K.
>>Tel (Office): (+44) 191 282 5678
>>Tel (Secretary): (+44) 191 282 4336.
>>Tel (Laboratory): (+44) 191 222 5528
>>Fax: (+44) 191 222 6162
>>E-mail: c.d.ingram at ncl.ac.uk
>>
>>__________________________________________________________
>>Professor Colin Ingram
>>Director, Institute of Neuroscience (
>>
>>WARNING FROM ISS: The Newcastle MailScanner has detected a possible
>>fraud attempt from "file:" claiming to be
>>www.ncl.ac.uk/research/institutes/ionslides)
>>Director of Research, School of Neurology, Neurobiology & Psychiatry
>>
>>University of Newcastle
>>Leazes Wing, Royal Victoria Infirmary
>>Newcastle-upon-Tyne NE1 4LP, U.K.
>>Tel (Office): (+44) 191 282 5678
>>Tel (Secretary): (+44) 191 282 4336.
>>Tel (Laboratory): (+44) 191 222 5528
>>Fax: (+44) 191 222 6162
>>E-mail: c.d.ingram at ncl.ac.uk
>>
>>----- Example #1 end
>>
>>----- Example #2
>>[this one has been edited in a consistent way to hide real domain and
>>other info.]
>>
>>From: Kevin XXX <kxxx at domain.com>
>>Date: Tue, 16 Nov 2004 09:49:04 -0000
>>To: <user at Newcastle>
>>Subject: Gladstone
>>
>>Hi there
>>Just tried your number but I'm guessing your busy. Give me a call when
>>you're free [deleted]
>>Speak to you soon
>>Kevin
>>
>>Kevin XXX
>>Project Manager
>>[deleted]
>>
>>T: +44 (0)[deleted] (DDI)
>>F: +44 (0)[deleted]
>>M: +44 (0)[deleted]
>>E:
>>
>>WARNING FROM ISS: The Newcastle MailScanner has detected a possible
>>fraud attempt from "blocked::
>>
>>WARNING FROM ISS: The Newcastle MailScanner has detected a possible
>>fraud attempt from "kxxx at domain.com" claiming to be
>>mailto:kxxx at domain.com <mailto:kxxx at domain.com>
>>" claiming to be kxxx at domain.com <blocked::
>>
>>WARNING FROM ISS: The Newcastle MailScanner has detected a possible
>>fraud attempt from "kxxx at domain.com>" claiming to be
>>mailto:kxxx at domain.com>
>><mailto:kxxx at domain.com>>
>>W:
>>
>>WARNING FROM ISS: The Newcastle MailScanner has detected a possible
>>fraud attempt from "blocked::http:" claiming to be www.domain.com
>><blocked::http://www.domain.com/>
>>This email and any files transmitted with it are confidential and
>>intended solely for the use of the individual or entity to whom they are
>>addressed. If you have received this email in error please notify the
>>system manager. Please note that any views or opinions presented in this
>>email are solely those of the author and do not necessarily represent
>>those of the company. Finally, the recipient should check this email and
>>any attachments for the presence of viruses. The company accepts no
>>liability for any damage caused by any virus transmitted by this email.
>>This email has been scanned with Trend AV.
>>
>>----- Example #2 end
>>
>>
>>Quentin
>>---
>>PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>>                           University of Newcastle,
>>                           Newcastle upon Tyne,
>>FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>>------------------------------------------------------------------------
>>"Any opinion expressed above is mine. The University can get its own."
>>
>>
>>>-----Original Message-----
>>>From: MailScanner mailing list
>>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>>Sent: 17 November 2004 09:10
>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>Subject: Re: Mailto's being marked as detected fraud attempt.
>>>
>>>I have just tested it with
>>>Contact <a href="mailto:steve.swaney at fsl.com">Steve.Swaney at fsl.com</a>
>>>and it allowed it through just fine.
>>>
>>>
>>>On 17/11/04 8:04 am, "Quentin Campbell" <Q.G.Campbell at NEWCASTLE.AC.UK>
>>>wrote:
>>>
>>>
>>>>Julian
>>>>
>>>>I installed your latest version of Message.pm (the 166111
>>>
>>>byte version)
>>>
>>>>early on Tuesday.
>>>>
>>>>Prior to that the log entries read:
>>>>
>>>>  "Found phishing fraud from mailto:bloggs at domain.com claiming to be
>>>>bloggs at domain.com"
>>>>
>>>>After installing this fixed version (166111 bytes) the logs
>>>
>>>entries now
>>>
>>>>read:
>>>>
>>>>  "Found phishing fraud from dave at somewhere.com claiming to be
>>>>mailto:dave at somewhere.com"
>>>>
>>>>The latter looks more believable but still not desirable in
>>>
>>>my view. Why
>>>
>>>>can't this special case be ignored?
>>>>
>>>>I made the change to the 166111 byte version at about 08:20
>>>
>>>on Tuesday.
>>>
>>>>Later that day complaints started coming in about messages being
>>>>"mangled". The complainants usually did not include the affected
>>>>message. When they did it was clear the "mangled" messages
>>>
>>>had actually
>>>
>>>>been received on the Monday, _before_ I installed your latest
>>>>Message.pm.
>>>
>>>--
>>>Julian Field

--


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list