Phishing Trouble

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Mon Aug 22 16:37:55 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian Field wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 19 Aug 2005, at 16:48, Denis Beauchemin wrote:
>
>  
>
>>* PGP Bad Signature, Signed by a unverified key
>>Julian Field wrote:
>>
>>
>>    
>>
>>>Attached is a patch for Message.pm which should stop this  
>>>happening  again.
>>>
>>>      
>>>
>>Julian,
>>
>>Tried it yesterday and this morning my server had a huge backlog of  
>>messages in mqueue.in.  I managed to single out some messages and  
>>ran MS in debug mode on them to get the following error:
>>Unmatched ) in regex; marked by <-- HERE in m/^www 
>>\.mailscannersoup&ccedil;onnelelien"www.ipm2005.fr) <-- HERE "/ at / 
>>usr/lib/MailScanner/MailScanner/Message.pm line 4954
>>
>>and line 4954 is:
>>     if ($squashedtext =~ /^www\.$squashedpossible\"$linkurl\"/) {
>>
>>So I backed out of the patch and then the messages went by just fine.
>>    
>>
>
>Sorry, I forgot to quotemeta the regexp.
>
>Change that bit of code so it looks like this instead:
>
>       my $squashedpossible = lc($possiblefraudstart);
>       $squashedpossible =~ s/\s//g;
>       $squashedpossible =~ s/(\<\/?[^>]*\>)*//ig; # Remove tags
>       $squashedpossible = "www.$squashedpossible\"$linkurl\"";
>       $squashedpossible = quotemeta($squashedpossible);
>       #print STDERR "NEW CODE: SquashedText     = $squashedtext\n";
>       #print STDERR "NEW CODE: SquashedPossible = $squashedpossible\n";
>       #print STDERR "NEW CODE: LinkURL          = $linkurl\n";
>       if ($squashedtext =~ /^$squashedpossible/) {
>         #print STDERR "FOUND IT\n";
>         print "$DisarmLinkText$text";
>         $DisarmLinkText = ""; # Reset state of automaton
>         return;
>       }
>
>Then it should work rather better!
>Sorry about that, I wrote it in too much of a hurry :-(
>
>  
>
Julian,

Tested the patch by emailing back the same message twice and I got the 
following:

<a href="www.usherbrooke.ca"></b></font><font color="red"><b>MailScanner soup&ccedil;onne le lien "www.usherbrooke.ca" d'&ecirc;tre une tentative de fraude de la part de</b></font> <font color="red"><b>MailScanner soup&ccedil;onne le lien "www.usherbrooke.ca" d'&ecirc;tre une tentative de fraude de la part de www.abc.com</a><br>

As you can see the text is there twice...  so I guess the patch doesn't work...  :-( 


Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x2252 F: 819.821.8045

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list