Suggested phishing net tuning
Julian Field
mailscanner at ecs.soton.ac.uk
Sat Nov 20 12:23:39 GMT 2004
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Quentin Campbell wrote:
>Julian
>
>I have seen repeated examples of log entries similar to:
>
>Nov 19 05:21:10 cheviot5 MailScanner[14191]: Found phishing fraud from
>orders at ebnerandsons.com claiming to be mailto:orders at ebnerandsons.com
>
>and
>
>Nov 19 05:30:34 cheviot5 MailScanner[14082]: Found phishing fraud from
>www.airmileswineclub.co.uk?wine_11-04=true claiming to be
>www.airmileswineclub.co.uk
>
>Why might it be dangerous to strip the prefixing "mailto:" in the first
>example
>
Sounds fair enough.
> and the appended script & arguments in the second before doing the
>comparison?
>
>
I am wary of doing that as (a) there should be a / before the ? and (b)
could the ? be part of a username or password passed to the http server
which could therefore be used to evade the phishing net?
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list