Quoted Printable
Julian Field
MailScanner at ecs.soton.ac.uk
Mon Feb 21 18:36:59 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
But I thought your subject was to do with phishing problems and message
rebuild. This doesn't appear at first glance to be connected with clamav
module parameters.
Roger Jochem wrote:
>There are new parameters about clamav module in the instalation...
>
>----- Original Message -----
>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Monday, February 21, 2005 3:28 PM
>Subject: Re: Quoted Printable
>
>
>
>
>>So what was the change you perceived between the prior version and the
>>current version?
>>Just want to double-check that you think it has changed.
>>
>>Roger Jochem wrote:
>>
>>
>>
>>>But in the prior version, I was with HTML Content on, and just disabling
>>>
>>>
>the
>
>
>>>phishing net solved my problem...
>>>
>>>This version is making the same, with the phishing net enabled the files
>>>
>>>
>are
>
>
>>>changing sizes... Disabling it solves the problem...
>>>
>>>----- Original Message -----
>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>>Sent: Monday, February 21, 2005 3:18 PM
>>>Subject: Re: Quoted Printable
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Yes. But to be sure you will have to switch off all the HTML content
>>>>
>>>>
>>>>
>>>>
>>>checks.
>>>
>>>
>>>
>>>
>>>>Roger Jochem wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>In 4.39.2-1? I downloaded it about an hour ago...
>>>>>
>>>>>
>>>>>----- Original Message -----
>>>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
>>>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>>>>Sent: Monday, February 21, 2005 11:42 AM
>>>>>Subject: Re: Quoted Printable
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>It should already be doing that. It watches to see if it actually
>>>>>>applies the phishing messages to the email, and only then does it mark
>>>>>>the message for rebuild.
>>>>>>
>>>>>>Roger Jochem wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>This could work too...
>>>>>>>
>>>>>>>These messages didn't have any phishing attack on it. If they weren't
>>>>>>>rebuild, this would solve the problem...
>>>>>>>
>>>>>>>----- Original Message -----
>>>>>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
>>>>>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>>>>>>Sent: Monday, February 21, 2005 9:15 AM
>>>>>>>Subject: Re: Quoted Printable
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>I specifically didn't make the phishing net do more than alter the
>>>>>>>>message if it needs to. If it doesn't detect a phishing attack, does
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>it
>>>
>>>
>>>
>>>
>>>>>>>>still rebuild the message? I may well be able to stop it doing that
>>>>>>>>
>>>>>>>>
>if
>
>
>>>>>>>>it is.
>>>>>>>>
>>>>>>>>Roger Jochem wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>Too bad...
>>>>>>>>>
>>>>>>>>>In this case I would have to disable the Phising Detection...
>>>>>>>>>
>>>>>>>>>Could you consider doing an option of blocking, forwarding,
>>>>>>>>>
>>>>>>>>>
>deleting
>
>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>the
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>phishing mails instead of changing the content of it (like spam)?
>>>>>>>>>
>>>>>>>>>
>The
>
>
>>>>>>>>>phishing mails found by clamav are already treated as virus, not
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>forwarded,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>so I don't see any problem in blocking MailScanner's too... And
>>>>>>>>>
>>>>>>>>>
>this
>
>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>would
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>be and option, some users would send the message with the changed
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>body,
>>>
>>>
>>>
>>>
>>>>>>>>>another ones would block them. They could be sended to an single
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>account
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>with a modified subject like it's already done with spam, maybe
>>>>>>>>>"{Phishing?}".
>>>>>>>>>
>>>>>>>>>Another option would be to MailScanner modify only the header of
>>>>>>>>>
>>>>>>>>>
>the
>
>
>>>>>>>>>message, instead of the body, putting the "{Phishing?}" before the
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>mail
>>>
>>>
>>>
>>>
>>>>>>>>>subject...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>Yes. It's the message being rebuilt by MailScanner. Outlook
>>>>>>>>>>
>>>>>>>>>>
>Express
>
>
>>>>>>>>>>shouldn't be sending these things out as Quoted Printable, but use
>>>>>>>>>>base64 instead. This one is *very* hard for me to solve. We have
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>already
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>>put in an exception for most PDF files, these look like more
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>problems.
>>>
>>>
>>>
>>>
>>>>>>>>>>Roger Jochem wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>Hello, Julian!
>>>>>>>>>>>
>>>>>>>>>>>I made some tests with MailScanner to find out the problem with
>>>>>>>>>>>
>>>>>>>>>>>
>my
>
>
>>>>>>>>>>>Outlook Express Quoted Printable attachments that change size and
>>>>>>>>>>>format (between DOS and UNIX). I find out that if I disable the
>>>>>>>>>>>Phishing Detection the e-mails passes without any change to the
>>>>>>>>>>>attachment, and if I enable the Phishing Detection again, the
>>>>>>>>>>>
>>>>>>>>>>>
>file
>
>
>>>>>>>>>>>comes with the wrokg size and converted to Unix. Makes sense?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>--
>>>>>>>>Julian Field
>>>>>>>>www.MailScanner.info
>>>>>>>>Buy the MailScanner book at www.MailScanner.info/store
>>>>>>>>
>>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>>>
>>>>>>>>------------------------ MailScanner list ------------------------
>>>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>>>>'leave mailscanner' in the body of the email.
>>>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>>>>
>>>>>>>>Support MailScanner development - buy the book off the website!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>------------------------ MailScanner list ------------------------
>>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>>>'leave mailscanner' in the body of the email.
>>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>>>
>>>>>>>Support MailScanner development - buy the book off the website!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>--
>>>>>>Julian Field
>>>>>>www.MailScanner.info
>>>>>>Buy the MailScanner book at www.MailScanner.info/store
>>>>>>
>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>
>>>>>>------------------------ MailScanner list ------------------------
>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>>'leave mailscanner' in the body of the email.
>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>>
>>>>>>Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>------------------------ MailScanner list ------------------------
>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>'leave mailscanner' in the body of the email.
>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>
>>>>>Support MailScanner development - buy the book off the website!
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>--
>>>>Julian Field
>>>>www.MailScanner.info
>>>>Buy the MailScanner book at www.MailScanner.info/store
>>>>Professional Support Services at www.MailScanner.biz
>>>>MailScanner thanks transtec Computers for their support
>>>>
>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>
>>>>------------------------ MailScanner list ------------------------
>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>'leave mailscanner' in the body of the email.
>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>>Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>>
>>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>Support MailScanner development - buy the book off the website!
>>>
>>>
>>>
>>>
>>>
>>--
>>Julian Field
>>www.MailScanner.info
>>Buy the MailScanner book at www.MailScanner.info/store
>>Professional Support Services at www.MailScanner.biz
>>MailScanner thanks transtec Computers for their support
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list