Phishing Trouble

Mon Aug 22 16:57:18 IST 2005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22 Aug 2005, at 16:37, Denis Beauchemin wrote:
> Julian Field wrote:
>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 19 Aug 2005, at 16:48, Denis Beauchemin wrote:
>>
>>
>>
>>> * PGP Bad Signature, Signed by a unverified key
>>> Julian Field wrote:
>>>
>>>
>>>
>>>
>>>> Attached is a patch for Message.pm which should stop this   
>>>> happening  again.
>>>>
>>>>
>>>>
>>> Julian,
>>>
>>> Tried it yesterday and this morning my server had a huge backlog  
>>> of  messages in mqueue.in.  I managed to single out some messages  
>>> and  ran MS in debug mode on them to get the following error:
>>> Unmatched ) in regex; marked by <-- HERE in m/^www  
>>> \.mailscannersoup&ccedil;onnelelien"www.ipm2005.fr) <-- HERE "/  
>>> at / usr/lib/MailScanner/MailScanner/Message.pm line 4954
>>>
>>> and line 4954 is:
>>>     if ($squashedtext =~ /^www\.$squashedpossible\"$linkurl\"/) {
>>>
>>> So I backed out of the patch and then the messages went by just  
>>> fine.
>>>
>>>
>>
>> Sorry, I forgot to quotemeta the regexp.
>>
>> Change that bit of code so it looks like this instead:
>>
>>       my $squashedpossible = lc($possiblefraudstart);
>>       $squashedpossible =~ s/\s//g;
>>       $squashedpossible =~ s/(\<\/?[^>]*\>)*//ig; # Remove tags
>>       $squashedpossible = "www.$squashedpossible\"$linkurl\"";
>>       $squashedpossible = quotemeta($squashedpossible);
>>       #print STDERR "NEW CODE: SquashedText     = $squashedtext\n";
>>       #print STDERR "NEW CODE: SquashedPossible = $squashedpossible 
>> \n";
>>       #print STDERR "NEW CODE: LinkURL          = $linkurl\n";
>>       if ($squashedtext =~ /^$squashedpossible/) {
>>         #print STDERR "FOUND IT\n";
>>         print "$DisarmLinkText$text";
>>         $DisarmLinkText = ""; # Reset state of automaton
>>         return;
>>       }
>>
>> Then it should work rather better!
>> Sorry about that, I wrote it in too much of a hurry :-(
>>
>>
>>
> Julian,
>
> Tested the patch by emailing back the same message twice and I got  
> the following:
>
> <a href="www.usherbrooke.ca"></b></font><font  
> color="red"><b>MailScanner soup&ccedil;onne le lien  
> "www.usherbrooke.ca" d'&ecirc;tre une tentative de fraude de la  
> part de</b></font> <font color="red"><b>MailScanner  
> soup&ccedil;onne le lien "www.usherbrooke.ca" d'&ecirc;tre une  
> tentative de fraude de la part de www.abc.com</a><br>
>
> As you can see the text is there twice...  so I guess the patch  
> doesn't work...  :-(

I'll try out your text tonight. It definitely worked for me. Where  
did the </b></font> right at the start come from? Do you have a copy  
of the original HTML text before MailScanner hit it?
- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)

iQA/AwUBQwn14RH2WUcUFbZUEQLVEACgomLjluUfLwOVHsOg4PjN34AG0TkAn3oL
zqZ9iDwCOfpSem1dvZq3I8AV
=1ZT2
-----END PGP SIGNATURE-----

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!