Feature request for phishing / fraud detection

Julian Field MailScanner at ecs.soton.ac.uk
Sat Aug 27 17:08:57 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Am I allowed to know who for? (off list, of course)
I am happy to hear they like MailScanner.

I don't suppose any of them would be prepared to make a donation or hire 
me for some consultancy work would they? There are always bills to pay...
I can easily produce invoices that say whatever they need them to say.

You obviously make a nice living out of these international parties, a 
bit of benefit to me is always much appreciated.

However, back to the subject in hand.

I have written the new code, and will put out a new beta in the next few 
minutes containing these new settings and features. Install exactly the 
same way as usual.

Thanks (in advance :-)
Jules.


Bob de Wildt wrote:

>Julian,
>
>We are doing high-end hosting for several international internet
>parties.
>The mailscanner features, with a couple of extra milters for sendmail,
>are definetly the best e-mail protection I have ever put together.
>Our clients are overwelming satisfied with the e-mail protection, but
>some of them recently complained about this feature.
>
>I have looked at the code and I think you need to slightly change the
>following files:
>
>etc/MailScanner.conf
>lib/MailScanner/ConfigDefs.pl
>lib/MailScanner/Message.pm
>
>I could get passed the first 2 files, but the last one was giving me
>trouble.
>
>I've included the patch files I was working on.
>Maybe you can shed some light over it.
>
>------------- patch MailScanner.conf -------------
>
>@@ -1191,20 +1191,6 @@
> # This can also be the filename of a ruleset.
> High Scoring Spam Subject Text = {Spam?}
>
>+# If the message is a phishing message, do you want to add to the
>subject line?
>+Phishing Modify Subject = yes
>+
>+# If you want the subject of phishing e-mails edited
>+# what would you like to tell in the subject.
>+Phishing Subject Text = {Phishing?}
>+
>+# If the message is a phishing e-mail containing numeric links
>+# do you want the subject edited?
>+Numeric Modify Subject = yes
>+
>+# What text would you like to add to the subject?
>+Numeric Subject Text = {Numeric Link!}
>+
> #
> # Changes to the Message Body
> # ---------------------------
>
>------------- end patch MailScanner.conf -------------
>
>
>
>
>------------- patch ConfigDefs.pl -------------
>
>+++ ConfigDefs.pl   Wed Aug 24 22:24:35 2005
>@@ -101,6 +101,10 @@
> highspamprependsubject     = highscoringspammodifysubject
> highmcpsubjecttext     = highscoringmcpsubjecttext
> highspamsubjecttext        = highscoringspamsubjecttext
>+phishingprependsubject        = phishingmodifysubject
>+numericprependsubject     = numericmodifysubject
>+phishingsubjecttext       = phishingsubjecttext
>+numericsubjecttext     = numericsubjecttext
> htmltotext         = converthtmltotext
> includespamheader      = alwaysincludespamassassinreport
> includemcpheader       = alwaysincludemcpreport
>
>------------- end patch ConfigDefs.pl -------------
>
>
>
>
>------------- patch Message.pm -------------
>
>+++ Message.pm  Wed Aug 24 22:32:38 2005
>@@ -4958,15 +4958,37 @@
>         unless (InPhishingWhitelist($linkurl)) {
>           use bytes; # Don't send UTF16 to syslog, it breaks!
>           if ($linkurl ne "" && numbertrap && $linkurl eq
>$squashedtext) {
>-            # It's not a real phishing trap, just a use of numberic IP
>links
>-            print MailScanner::Config::LanguageValue(0,
>'numericlinkwarning') .
>-                  ' ';
>+         # It's not a real phishing trap, just a use of numberic IP
>links
>+          # print MailScanner::Config::LanguageValue(0,
>'numericlinkwarning') .
>+          #      ' ';
>+            $this->{numeric} = 1;
>+            $this->{phishing} = 1;
>           } else {
>-            # It's a phishing attack.
>-            print MailScanner::Config::LanguageValue(0,
>'possiblefraudstart') .
>-                  ' "' . $linkurl . '" ' .
>-                  MailScanner::Config::LanguageValue(0,
>'possiblefraudend') . ' ';
>+          # It's a phishing attack.
>+          # print MailScanner::Config::LanguageValue(0,
>'possiblefraudstart') .
>+          #      ' "' . $linkurl . '" ' .
>+          #      MailScanner::Config::LanguageValue(0,
>'possiblefraudend') . ' ';
>+            $this->{numeric} = 0;
>+            $this->{phishing} = 1;
>           }
>+          # Modify the subject line for phishing
>+          # if it's phishing AND they want to modify the subject line
>AND it's not
>+          # already been modified by another of your MailScanners.
>+           my $phishingtag =
>MailScanner::Config::Value('phishingsubjecttext', $this);
>+           if ($this->{phishing} && !$this->{numeric} &&
>+
>MailScanner::Config::Value('phishingprependsubject',$this) &&
>+               !$global::MS->{mta}->TextStartsHeader($this, 'Subject:',
>$phishingtag)) {
>+             $global::MS->{mta}->PrependHeader($this, 'Subject:',
>$phishingtag, ' ');
>+           }
>+          # Modify the subject line for numeric links
>+          # if it's a numeric link AND they want to modify the subject
>line AND it's not
>+          # already been modified by another of your MailScanners.
>+           my $numerictag =
>MailScanner::Config::Value('numericsubjecttext', $this);
>+           if ($this->{numeric} && !$this->{phishing} &&
>+
>MailScanner::Config::Value('numericprependsubject',$this) &&
>+               !$global::MS->{mta}->TextStartsHeader($this, 'Subject:',
>$numerictag)) {
>+             $global::MS->{mta}->PrependHeader($this, 'Subject:',
>$numerictag, ' ');
>+           }
>           $DisarmPhishingFound = 1;
>           $linkurl = substr $linkurl, 0, 80;
>           $squashedtext = substr $squashedtext, 0, 80;
>
>
>------------- end patch Message.pm -------------
>
>
>
>Kind regards,
>
>Bob de Wildt
>
>Systems Administrator
>Cyso Managed Hosting
>Baangracht 2
>1811 DC Alkmaar
>tel: (+31) (0) 72-7513400
>fax: (+31) (0) 72-7513401
>e-mail: support at cysonet.com
>
>
>-----Oorspronkelijk bericht-----
>Van: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] Namens
>Julian Field
>Verzonden: zaterdag 27 augustus 2005 15:48
>Aan: MAILSCANNER at JISCMAIL.AC.UK
>Onderwerp: Re: Feature request for phishing / fraud detection
>
>Turns out this is going to be harder than I thought. The code around
>this is already very complex.
>How much do people need this?
>
>Julian Field wrote:
>
>  
>
>>This is a definite possibility. Give me an hour or two.
>>
>>Bob de Wildt wrote:
>>
>>    
>>
>>>Julian
>>>
>>>I'm using the mailscanner for a hosting party and would like to see a
>>>      
>>>
>
>  
>
>>>feature added to the phishing detection.
>>>The problem is that many people use genuine mailings with a sublink 
>>>to keep up with the revenu of a mailing.
>>>90% of these links get marked with possible fraud, which completely 
>>>destroys the e-mail.
>>>
>>>It would be a good feature to be able to mark the subject of the 
>>>message in stead of putting text inside the message.
>>>Just like is done with spam, virus and bad content.
>>>
>>>Would it be possible to take this up in the next upgrade?
>>>
>>>Bob de Wildt
>>>

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list