Phishing fraud question
Alex Neuman van der Hans
alex at nkpanama.com
Thu Oct 14 18:58:28 IST 2004
Which can already be done using the "disarm" type rules, at least for HTML
forms. The "phishing detection" could/would apply the same principle to
probable phishing scams as well - and/or provide the option of redirecting
e-mails to a standard page, administered by the MailScanner administrator,
that explains what's happening.
Example:
somebloke at mycompany.com gets an e-mail saying "fill this form out and update
your bank info". Since it's a form, and MS is set to disarm web forms except
from known places (using rulesets to allow by IP, and not by spoofable
domains), the user can't use the form.
Later that day, samebloke at mycompany.com receives an HTML e-mail with a link,
purporting to be existingbank.com, but actually going to
http-colon-slash-slash-someother.ip.address.somewhere-else/phishingpagedotht
ml, but MS catches it and disarms it, turning the link into
http://mycompany.com/redirectinfo?page=someother.ip.address.somewhere-else/p
hishingpage.html and samebloke gets a page saying "Hey, someone tried to
redirect you to existingbank.com using a link that actually goes to
someother.ip.address, if you want to continue (at your own risk) click
<here> and face the consequences. If this is a FP then I apologize, call the
MS admin and tell him to put this domain/ip in a whitelist or ruleset or
something".
What do you think? At least the option to do this would be nice, since most
of my MS servers already have apache/mysql/php built in in order to use
things like webmail, mailscanner-mrtg, mailwatch, etc.
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Michael H. Martel
Sent: Thursday, October 14, 2004 10:29 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Phishing fraud question
--On Thursday, October 14, 2004 9:31 AM +0100 Julian Field
<mailscanner at ECS.SOTON.AC.UK> wrote:
> I have tagged the subject line so far, and I think it is already
> starting to cause problems. I am tending towards removing the subject tag.
>
> Any thoughts please?
Obviously I would want it configurable, but I would vote for no subject line
modifications, and no change to the body of the message except to remove the
link.
Michael
--
--------------------------------o---------------------------------
Michael H. Martel | Systems Administrator
martelm at quark.vsc.edu | Vermont State Colleges
http://probe.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363
------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list