Mailto's being marked as detected fraud attempt.

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Wed Nov 17 14:05:59 GMT 2004


Julian

One bit of help would be considering exempting 'href="file:www...."'
tags.

It appears that in some circumstances Outlook/Exchange converts the URL
www.ncl.ac.uk/research/institutes/ionslides into
'href="file:www.ncl.ac.uk/research/institutes/ionslides"' rather than
'href="http://www.ncl.ac.uk/research/institutes/ionslides"'.

I have only seen it happen in signature lines but have not been able to
reproduce the behaviour myself using Outlook/Exchange and sending
messages via the same mail gateways route as affected messages.  :-(

There is another curiosity. The Sendmail logs say that HTML in the
affected user's signature line is disarmed by MailScanner's "Content
Checks". The only content check that disarms HTML is the new "WebBugs"
one. All the other content checks strip the HTML.

A consequence of this disarming is that all the text following the
"href=" tag is underlined until the end of the message. Do you know why
that might be happening?  

Thanks

Quentin 
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."  

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>Sent: 17 November 2004 12:17
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Mailto's being marked as detected fraud attempt.
>
>How could I improve it?
>
>
>On 17/11/04 12:01 pm, "Martin Hepworth" <martinh at SOLID-STATE-LOGIC.COM>
>wrote:
>> Quentin
>>
>> I'm getting alot of reports about 'broken links' reported by 
>MS in emails.
>>
>> I quick view of the original message does indeed show the 
>link is broken
>> in some way, mainly people sending out HTML email as 
>marketing brochures
>> - ligitimate companies we deal with not 'spam' - where thet 
>send out a
>> brokeb link accidentally in footers or do a phishing style 
>redirect to a
>> link the text claims not to point to.
>>
>> However it is providing many false positives, and although 
>I'm disabling
>> the anti-phishing feature for those domains with a ruleset, 
>it is making
>> me contemplate turning off the feature altogether. Otherwise 
>it merely
>> suffers from the cry wolf problem.
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list