Suggested phishing net tuning

Julian Field mailscanner at
Sat Nov 20 12:23:39 GMT 2004

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Quentin Campbell wrote:

>I have seen repeated examples of log entries similar to:
>Nov 19 05:21:10 cheviot5 MailScanner[14191]: Found phishing fraud from
>orders at claiming to be mailto:orders at
>Nov 19 05:30:34 cheviot5 MailScanner[14082]: Found phishing fraud from
> claiming to be
>Why might it be dangerous to strip the prefixing "mailto:" in the first
Sounds fair enough.

> and the appended script & arguments in the second before doing the
I am wary of doing that as (a) there should be a / before the ? and (b)
could the ? be part of a username or password passed to the http server
which could therefore be used to evade the phishing net?

Julian Field
Buy the MailScanner book at
Professional Support Services at
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list