Feature request for phishing / fraud detection

Bob de Wildt bob.dewildt at CYSONET.COM
Sat Aug 27 16:46:25 IST 2005 

Julian,

We are doing high-end hosting for several international internet
parties.
The mailscanner features, with a couple of extra milters for sendmail,
are definetly the best e-mail protection I have ever put together.
Our clients are overwelming satisfied with the e-mail protection, but
some of them recently complained about this feature.

I have looked at the code and I think you need to slightly change the
following files:

etc/MailScanner.conf
lib/MailScanner/ConfigDefs.pl
lib/MailScanner/Message.pm

I could get passed the first 2 files, but the last one was giving me
trouble.

I've included the patch files I was working on.
Maybe you can shed some light over it.

------------- patch MailScanner.conf -------------

@@ -1191,20 +1191,6 @@
 # This can also be the filename of a ruleset.
 High Scoring Spam Subject Text = {Spam?}

+# If the message is a phishing message, do you want to add to the
subject line?
+Phishing Modify Subject = yes
+
+# If you want the subject of phishing e-mails edited
+# what would you like to tell in the subject.
+Phishing Subject Text = {Phishing?}
+
+# If the message is a phishing e-mail containing numeric links
+# do you want the subject edited?
+Numeric Modify Subject = yes
+
+# What text would you like to add to the subject?
+Numeric Subject Text = {Numeric Link!}
+
 #
 # Changes to the Message Body
 # ---------------------------

------------- end patch MailScanner.conf -------------




------------- patch ConfigDefs.pl -------------

+++ ConfigDefs.pl   Wed Aug 24 22:24:35 2005
@@ -101,6 +101,10 @@
 highspamprependsubject     = highscoringspammodifysubject
 highmcpsubjecttext     = highscoringmcpsubjecttext
 highspamsubjecttext        = highscoringspamsubjecttext
+phishingprependsubject        = phishingmodifysubject
+numericprependsubject     = numericmodifysubject
+phishingsubjecttext       = phishingsubjecttext
+numericsubjecttext     = numericsubjecttext
 htmltotext         = converthtmltotext
 includespamheader      = alwaysincludespamassassinreport
 includemcpheader       = alwaysincludemcpreport

------------- end patch ConfigDefs.pl -------------




------------- patch Message.pm -------------

+++ Message.pm  Wed Aug 24 22:32:38 2005
@@ -4958,15 +4958,37 @@
         unless (InPhishingWhitelist($linkurl)) {
           use bytes; # Don't send UTF16 to syslog, it breaks!
           if ($linkurl ne "" && numbertrap && $linkurl eq
$squashedtext) {
-            # It's not a real phishing trap, just a use of numberic IP
links
-            print MailScanner::Config::LanguageValue(0,
'numericlinkwarning') .
-                  ' ';
+         # It's not a real phishing trap, just a use of numberic IP
links
+          # print MailScanner::Config::LanguageValue(0,
'numericlinkwarning') .
+          #      ' ';
+            $this->{numeric} = 1;
+            $this->{phishing} = 1;
           } else {
-            # It's a phishing attack.
-            print MailScanner::Config::LanguageValue(0,
'possiblefraudstart') .
-                  ' "' . $linkurl . '" ' .
-                  MailScanner::Config::LanguageValue(0,
'possiblefraudend') . ' ';
+          # It's a phishing attack.
+          # print MailScanner::Config::LanguageValue(0,
'possiblefraudstart') .
+          #      ' "' . $linkurl . '" ' .
+          #      MailScanner::Config::LanguageValue(0,
'possiblefraudend') . ' ';
+            $this->{numeric} = 0;
+            $this->{phishing} = 1;
           }
+          # Modify the subject line for phishing
+          # if it's phishing AND they want to modify the subject line
AND it's not
+          # already been modified by another of your MailScanners.
+           my $phishingtag =
MailScanner::Config::Value('phishingsubjecttext', $this);
+           if ($this->{phishing} && !$this->{numeric} &&
+
MailScanner::Config::Value('phishingprependsubject',$this) &&
+               !$global::MS->{mta}->TextStartsHeader($this, 'Subject:',
$phishingtag)) {
+             $global::MS->{mta}->PrependHeader($this, 'Subject:',
$phishingtag, ' ');
+           }
+          # Modify the subject line for numeric links
+          # if it's a numeric link AND they want to modify the subject
line AND it's not
+          # already been modified by another of your MailScanners.
+           my $numerictag =
MailScanner::Config::Value('numericsubjecttext', $this);
+           if ($this->{numeric} && !$this->{phishing} &&
+
MailScanner::Config::Value('numericprependsubject',$this) &&
+               !$global::MS->{mta}->TextStartsHeader($this, 'Subject:',
$numerictag)) {
+             $global::MS->{mta}->PrependHeader($this, 'Subject:',
$numerictag, ' ');
+           }
           $DisarmPhishingFound = 1;
           $linkurl = substr $linkurl, 0, 80;
           $squashedtext = substr $squashedtext, 0, 80;


------------- end patch Message.pm -------------



Kind regards,

Bob de Wildt

Systems Administrator
Cyso Managed Hosting
Baangracht 2
1811 DC Alkmaar
tel: (+31) (0) 72-7513400
fax: (+31) (0) 72-7513401
e-mail: support at cysonet.com


-----Oorspronkelijk bericht-----
Van: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] Namens
Julian Field
Verzonden: zaterdag 27 augustus 2005 15:48
Aan: MAILSCANNER at JISCMAIL.AC.UK
Onderwerp: Re: Feature request for phishing / fraud detection

Turns out this is going to be harder than I thought. The code around
this is already very complex.
How much do people need this?

Julian Field wrote:

> This is a definite possibility. Give me an hour or two.
>
> Bob de Wildt wrote:
>
>> Julian
>>
>> I'm using the mailscanner for a hosting party and would like to see a

>> feature added to the phishing detection.
>> The problem is that many people use genuine mailings with a sublink 
>> to keep up with the revenu of a mailing.
>> 90% of these links get marked with possible fraud, which completely 
>> destroys the e-mail.
>>
>> It would be a good feature to be able to mark the subject of the 
>> message in stead of putting text inside the message.
>> Just like is done with spam, virus and bad content.
>>
>> Would it be possible to take this up in the next upgrade?
>>
>> Bob de Wildt
>>
>> Systems Administrator
>> Cyso Managed Hosting
>> Baangracht 2
>> 1811 DC Alkmaar
>> tel: (+31) (0) 72-7513400
>> fax: (+31) (0) 72-7513401
>> e-mail: support at cysonet.com
>>
>> ------------------------ MailScanner list ------------------------ To

>> unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and the

>> archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>  
>>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store Professional
Support Services at www.MailScanner.biz MailScanner thanks transtec
Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list