Phishing Trouble

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Mon Aug 22 18:16:54 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian Field wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 22 Aug 2005, at 16:37, Denis Beauchemin wrote:
>  
>
>>Julian Field wrote:
>>
>>
>>    
>>
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Hash: SHA1
>>>
>>>On 19 Aug 2005, at 16:48, Denis Beauchemin wrote:
>>>
>>>
>>>
>>>      
>>>
>>>>* PGP Bad Signature, Signed by a unverified key
>>>>Julian Field wrote:
>>>>
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>>>Attached is a patch for Message.pm which should stop this   
>>>>>happening  again.
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>Julian,
>>>>
>>>>Tried it yesterday and this morning my server had a huge backlog  
>>>>of  messages in mqueue.in.  I managed to single out some messages  
>>>>and  ran MS in debug mode on them to get the following error:
>>>>Unmatched ) in regex; marked by <-- HERE in m/^www  
>>>>\.mailscannersoup&ccedil;onnelelien"www.ipm2005.fr) <-- HERE "/  
>>>>at / usr/lib/MailScanner/MailScanner/Message.pm line 4954
>>>>
>>>>and line 4954 is:
>>>>    if ($squashedtext =~ /^www\.$squashedpossible\"$linkurl\"/) {
>>>>
>>>>So I backed out of the patch and then the messages went by just  
>>>>fine.
>>>>
>>>>
>>>>        
>>>>
>>>Sorry, I forgot to quotemeta the regexp.
>>>
>>>Change that bit of code so it looks like this instead:
>>>
>>>      my $squashedpossible = lc($possiblefraudstart);
>>>      $squashedpossible =~ s/\s//g;
>>>      $squashedpossible =~ s/(\<\/?[^>]*\>)*//ig; # Remove tags
>>>      $squashedpossible = "www.$squashedpossible\"$linkurl\"";
>>>      $squashedpossible = quotemeta($squashedpossible);
>>>      #print STDERR "NEW CODE: SquashedText     = $squashedtext\n";
>>>      #print STDERR "NEW CODE: SquashedPossible = $squashedpossible 
>>>\n";
>>>      #print STDERR "NEW CODE: LinkURL          = $linkurl\n";
>>>      if ($squashedtext =~ /^$squashedpossible/) {
>>>        #print STDERR "FOUND IT\n";
>>>        print "$DisarmLinkText$text";
>>>        $DisarmLinkText = ""; # Reset state of automaton
>>>        return;
>>>      }
>>>
>>>Then it should work rather better!
>>>Sorry about that, I wrote it in too much of a hurry :-(
>>>
>>>
>>>
>>>      
>>>
>>Julian,
>>
>>Tested the patch by emailing back the same message twice and I got  
>>the following:
>>
>><a href="www.usherbrooke.ca"></b></font><font  
>>color="red"><b>MailScanner soup&ccedil;onne le lien  
>>"www.usherbrooke.ca" d'&ecirc;tre une tentative de fraude de la  
>>part de</b></font> <font color="red"><b>MailScanner  
>>soup&ccedil;onne le lien "www.usherbrooke.ca" d'&ecirc;tre une  
>>tentative de fraude de la part de www.abc.com</a><br>
>>
>>As you can see the text is there twice...  so I guess the patch  
>>doesn't work...  :-(
>>    
>>
>
>I'll try out your text tonight. It definitely worked for me. Where  
>did the </b></font> right at the start come from? Do you have a copy  
>of the original HTML text before MailScanner hit it?
>  
>

Julian,

Background: MS 4.44.6, language.conf contains:
PossibleFraudStart = <font color="red"><b>MailScanner soup&ccedil;onne 
le lien
PossibleFraudEnd = d'&ecirc;tre une tentative de fraude de la part 
de</b></font>

Source of email sent the first time:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<a href="www.usherbrooke.ca">www.abc.com</a><br>
</body>
</html>

Source of email sent the second time:

<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>

<body bgcolor="#ffffff" text="#000000">
<a href="www.usherbrooke.ca"><font color="red"><b>MailScanner soup&ccedil;onne le lien "www.usherbrooke.ca" d'&ecirc;tre une tentative de fraude de la part de</b></font> www.abc.com</a><br>
</body>
</html>


Results in:

<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>

</head>
<body bgcolor="#ffffff" text="#000000">
<a href="www.usherbrooke.ca"></b></font><font color="red"><b>MailScanner soup&ccedil;onne le lien "www.usherbrooke.ca" d'&ecirc;tre une tentative de fraude de la part de</b></font> <font color="red"><b>MailScanner soup&ccedil;onne le lien "www.usherbrooke.ca" d'&ecirc;tre une tentative de fraude de la part de www.abc.com</a><br>
</body>
</html>


Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x2252 F: 819.821.8045



------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, "S/MIME Cryptographic Signature"  ]
    [ Application/X-PKCS7-SIGNATURE  4.4KB. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list