Quoted Printable

Julian Field MailScanner at ecs.soton.ac.uk
Mon Feb 21 18:44:39 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Ah, okay. Your previous messages appeared to imply that the behaviour
had changed in the area of the rebuilding of messages when phishing
attempts were found (or not found).

Please switch on "Log Dangerous HTML Tags".

Roger Jochem wrote:

>Yes. I was just saying about the parameters that changed with this
>release... To prove I upgraded...
>
>I didn't understood your question before. I didn't perceived any change
>regarding the phishing detection between this version and the prior one...
>
>
>----- Original Message -----
>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Monday, February 21, 2005 3:36 PM
>Subject: Re: Quoted Printable
>
>
>
>
>>But I thought your subject was to do with phishing problems and message
>>rebuild. This doesn't appear at first glance to be connected with clamav
>>module parameters.
>>
>>Roger Jochem wrote:
>>
>>
>>
>>>There are new parameters about clamav module in the instalation...
>>>
>>>----- Original Message -----
>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>>Sent: Monday, February 21, 2005 3:28 PM
>>>Subject: Re: Quoted Printable
>>>
>>>
>>>
>>>
>>>
>>>
>>>>So what was the change you perceived between the prior version and the
>>>>current version?
>>>>Just want to double-check that you think it has changed.
>>>>
>>>>Roger Jochem wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>But in the prior version, I was with HTML Content on, and just
>>>>>
>>>>>
>disabling
>
>
>>>>>
>>>>>
>>>the
>>>
>>>
>>>
>>>
>>>>>phishing net solved my problem...
>>>>>
>>>>>This version is making the same, with the phishing net enabled the
>>>>>
>>>>>
>files
>
>
>>>>>
>>>>>
>>>are
>>>
>>>
>>>
>>>
>>>>>changing sizes... Disabling it solves the problem...
>>>>>
>>>>>----- Original Message -----
>>>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
>>>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>>>>Sent: Monday, February 21, 2005 3:18 PM
>>>>>Subject: Re: Quoted Printable
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Yes. But to be sure you will have to switch off all the HTML content
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>checks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Roger Jochem wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>In 4.39.2-1? I downloaded it about an hour ago...
>>>>>>>
>>>>>>>
>>>>>>>----- Original Message -----
>>>>>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
>>>>>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>>>>>>Sent: Monday, February 21, 2005 11:42 AM
>>>>>>>Subject: Re: Quoted Printable
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>It should already be doing that. It watches to see if it actually
>>>>>>>>applies the phishing messages to the email, and only then does it
>>>>>>>>
>>>>>>>>
>mark
>
>
>>>>>>>>the message for rebuild.
>>>>>>>>
>>>>>>>>Roger Jochem wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>This could work too...
>>>>>>>>>
>>>>>>>>>These messages didn't have any phishing attack on it. If they
>>>>>>>>>
>>>>>>>>>
>weren't
>
>
>>>>>>>>>rebuild, this would solve the problem...
>>>>>>>>>
>>>>>>>>>----- Original Message -----
>>>>>>>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
>>>>>>>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>>>>>>>>Sent: Monday, February 21, 2005 9:15 AM
>>>>>>>>>Subject: Re: Quoted Printable
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>I specifically didn't make the phishing net do more than alter the
>>>>>>>>>>message if it needs to. If it doesn't detect a phishing attack,
>>>>>>>>>>
>>>>>>>>>>
>does
>
>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>it
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>>still rebuild the message? I may well be able to stop it doing
>>>>>>>>>>
>>>>>>>>>>
>that
>
>
>>>>>>>>>>
>>>>>>>>>>
>>>if
>>>
>>>
>>>
>>>
>>>>>>>>>>it is.
>>>>>>>>>>
>>>>>>>>>>Roger Jochem wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>Too bad...
>>>>>>>>>>>
>>>>>>>>>>>In this case I would have to disable the Phising Detection...
>>>>>>>>>>>
>>>>>>>>>>>Could you consider doing an option of blocking, forwarding,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>deleting
>>>
>>>
>>>
>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>the
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>>phishing mails instead of changing the content of it (like spam)?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>The
>>>
>>>
>>>
>>>
>>>>>>>>>>>phishing mails found by clamav are already treated as virus, not
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>forwarded,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>so I don't see any problem in blocking MailScanner's too... And
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>this
>>>
>>>
>>>
>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>would
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>be and option, some users would send the message with the changed
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>body,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>>>another ones would block them. They could be sended to an single
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>account
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>>with a modified subject like it's already done with spam, maybe
>>>>>>>>>>>"{Phishing?}".
>>>>>>>>>>>
>>>>>>>>>>>Another option would be to MailScanner modify only the header of
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>the
>>>
>>>
>>>
>>>
>>>>>>>>>>>message, instead of the body, putting the "{Phishing?}" before
>>>>>>>>>>>
>>>>>>>>>>>
>the
>
>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>mail
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>>>subject...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>Yes. It's the message being rebuilt by MailScanner. Outlook
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>Express
>>>
>>>
>>>
>>>
>>>>>>>>>>>>shouldn't be sending these things out as Quoted Printable, but
>>>>>>>>>>>>
>>>>>>>>>>>>
>use
>
>
>>>>>>>>>>>>base64 instead. This one is *very* hard for me to solve. We have
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>already
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>>>put in an exception for most PDF files, these look like more
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>problems.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>>>>>Roger Jochem wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>Hello, Julian!
>>>>>>>>>>>>>
>>>>>>>>>>>>>I made some tests with MailScanner to find out the problem with
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>my
>>>
>>>
>>>
>>>
>>>>>>>>>>>>>Outlook Express Quoted Printable attachments that change size
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>and
>
>
>>>>>>>>>>>>>format (between DOS and UNIX). I find out that if I disable the
>>>>>>>>>>>>>Phishing Detection the e-mails passes without any change to the
>>>>>>>>>>>>>attachment, and if I enable the Phishing Detection again, the
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>file
>>>
>>>
>>>
>>>
>>>>>>>>>>>>>comes with the wrokg size and converted to Unix. Makes sense?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>--
>>>>>>>>>>Julian Field
>>>>>>>>>>www.MailScanner.info
>>>>>>>>>>Buy the MailScanner book at www.MailScanner.info/store
>>>>>>>>>>
>>>>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>>>>>
>>>>>>>>>>------------------------ MailScanner list ------------------------
>>>>>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>>>>>>'leave mailscanner' in the body of the email.
>>>>>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>>>>>>
>>>>>>>>>>Support MailScanner development - buy the book off the website!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>------------------------ MailScanner list ------------------------
>>>>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>>>>>'leave mailscanner' in the body of the email.
>>>>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>>>>>
>>>>>>>>>Support MailScanner development - buy the book off the website!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>--
>>>>>>>>Julian Field
>>>>>>>>www.MailScanner.info
>>>>>>>>Buy the MailScanner book at www.MailScanner.info/store
>>>>>>>>
>>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>>>
>>>>>>>>------------------------ MailScanner list ------------------------
>>>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>>>>'leave mailscanner' in the body of the email.
>>>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>>>>
>>>>>>>>Support MailScanner development - buy the book off the website!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>------------------------ MailScanner list ------------------------
>>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>>>'leave mailscanner' in the body of the email.
>>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>>>
>>>>>>>Support MailScanner development - buy the book off the website!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>--
>>>>>>Julian Field
>>>>>>www.MailScanner.info
>>>>>>Buy the MailScanner book at www.MailScanner.info/store
>>>>>>Professional Support Services at www.MailScanner.biz
>>>>>>MailScanner thanks transtec Computers for their support
>>>>>>
>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>>>
>>>>>>------------------------ MailScanner list ------------------------
>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>>'leave mailscanner' in the body of the email.
>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>>
>>>>>>Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>------------------------ MailScanner list ------------------------
>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>'leave mailscanner' in the body of the email.
>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>
>>>>>Support MailScanner development - buy the book off the website!
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>--
>>>>Julian Field
>>>>www.MailScanner.info
>>>>Buy the MailScanner book at www.MailScanner.info/store
>>>>Professional Support Services at www.MailScanner.biz
>>>>MailScanner thanks transtec Computers for their support
>>>>
>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>
>>>>------------------------ MailScanner list ------------------------
>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>'leave mailscanner' in the body of the email.
>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>>Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>>
>>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>Support MailScanner development - buy the book off the website!
>>>
>>>
>>>
>>>
>>>
>>--
>>Julian Field
>>www.MailScanner.info
>>Buy the MailScanner book at www.MailScanner.info/store
>>Professional Support Services at www.MailScanner.biz
>>MailScanner thanks transtec Computers for their support
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list