Phishing detection gets confused by malformed HTML

Julian Field MailScanner at ecs.soton.ac.uk
Thu Feb 17 09:16:18 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Try the attached patch for Message.pm.

John Wilcock wrote:

> Given the following input (admittedly malformed, but this occurred in a
> a genuine newsletter received by one of my users):
>
>> <a href="
>> <a
>> href="http://www.redirector-example.com/?redirect">www.example.com</a>
>
>
> MailScanner detects a phish, but apparently gets confused:
>
>> <a href="
>> <a
>> href="http://www.redirector-example.com/?redirect"><font
>> color="red"><b>MailScanner has detected a possible fraud attempt from
>> "<a
>> href=" claiming to be</b></font> www.example.com</a>
>
>
> Logging is confused too, split over two lines:
>
>> Feb 17 08:53:27 gate MailScanner[4662]: Found phishing fraud from <a
>> Feb 17 08:53:27 gate MailScanner[4662]: href= claiming to be
>> www.example.com in 676A6E100C.5A3EA
>
>
> Also, in trying to reproduce this I noticed that the same input but
> without the quote on the malformed leading <a> tag is detected as being
> IP-based phishing.
>
>> <a href=
>> <a
>> href="http://www.redirector-example.com/?redirect">www.example.com</a>
>
>
> Logged as:
>
>> Feb 17 08:46:39 gate MailScanner[4662]: Found ip-based phishing fraud
>> from <a in 3F5CEE100C.57EBC
>
>
> The HTML is completely malformed and doesn't result in a working link,
> but you might like to take a fresh look at the code in case there are
> other ways to craft a malformed link that might actually work but get
> through MS.
>
>
> John.
>
> --
> -- Over 2500 webcams from ski resorts around the world - www.snoweye.com
> -- Translate your technical documents and web pages    - www.tradoc.fr
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, Application/X-GZIP  960bytes. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list