Quoted Printable

Roger Jochem roger at RUDNICK.COM.BR
Mon Feb 21 18:49:31 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Was already on

----- Original Message -----
From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Monday, February 21, 2005 3:44 PM
Subject: Re: Quoted Printable


> Ah, okay. Your previous messages appeared to imply that the behaviour
> had changed in the area of the rebuilding of messages when phishing
> attempts were found (or not found).
>
> Please switch on "Log Dangerous HTML Tags".
>
> Roger Jochem wrote:
>
> >Yes. I was just saying about the parameters that changed with this
> >release... To prove I upgraded...
> >
> >I didn't understood your question before. I didn't perceived any change
> >regarding the phishing detection between this version and the prior
one...
> >
> >
> >----- Original Message -----
> >From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
> >To: <MAILSCANNER at JISCMAIL.AC.UK>
> >Sent: Monday, February 21, 2005 3:36 PM
> >Subject: Re: Quoted Printable
> >
> >
> >
> >
> >>But I thought your subject was to do with phishing problems and message
> >>rebuild. This doesn't appear at first glance to be connected with clamav
> >>module parameters.
> >>
> >>Roger Jochem wrote:
> >>
> >>
> >>
> >>>There are new parameters about clamav module in the instalation...
> >>>
> >>>----- Original Message -----
> >>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
> >>>To: <MAILSCANNER at JISCMAIL.AC.UK>
> >>>Sent: Monday, February 21, 2005 3:28 PM
> >>>Subject: Re: Quoted Printable
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>So what was the change you perceived between the prior version and the
> >>>>current version?
> >>>>Just want to double-check that you think it has changed.
> >>>>
> >>>>Roger Jochem wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>But in the prior version, I was with HTML Content on, and just
> >>>>>
> >>>>>
> >disabling
> >
> >
> >>>>>
> >>>>>
> >>>the
> >>>
> >>>
> >>>
> >>>
> >>>>>phishing net solved my problem...
> >>>>>
> >>>>>This version is making the same, with the phishing net enabled the
> >>>>>
> >>>>>
> >files
> >
> >
> >>>>>
> >>>>>
> >>>are
> >>>
> >>>
> >>>
> >>>
> >>>>>changing sizes... Disabling it solves the problem...
> >>>>>
> >>>>>----- Original Message -----
> >>>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
> >>>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
> >>>>>Sent: Monday, February 21, 2005 3:18 PM
> >>>>>Subject: Re: Quoted Printable
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Yes. But to be sure you will have to switch off all the HTML content
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>checks.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Roger Jochem wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>In 4.39.2-1? I downloaded it about an hour ago...
> >>>>>>>
> >>>>>>>
> >>>>>>>----- Original Message -----
> >>>>>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
> >>>>>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
> >>>>>>>Sent: Monday, February 21, 2005 11:42 AM
> >>>>>>>Subject: Re: Quoted Printable
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>It should already be doing that. It watches to see if it actually
> >>>>>>>>applies the phishing messages to the email, and only then does it
> >>>>>>>>
> >>>>>>>>
> >mark
> >
> >
> >>>>>>>>the message for rebuild.
> >>>>>>>>
> >>>>>>>>Roger Jochem wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>This could work too...
> >>>>>>>>>
> >>>>>>>>>These messages didn't have any phishing attack on it. If they
> >>>>>>>>>
> >>>>>>>>>
> >weren't
> >
> >
> >>>>>>>>>rebuild, this would solve the problem...
> >>>>>>>>>
> >>>>>>>>>----- Original Message -----
> >>>>>>>>>From: "Julian Field" <MailScanner at ECS.SOTON.AC.UK>
> >>>>>>>>>To: <MAILSCANNER at JISCMAIL.AC.UK>
> >>>>>>>>>Sent: Monday, February 21, 2005 9:15 AM
> >>>>>>>>>Subject: Re: Quoted Printable
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>I specifically didn't make the phishing net do more than alter
the
> >>>>>>>>>>message if it needs to. If it doesn't detect a phishing attack,
> >>>>>>>>>>
> >>>>>>>>>>
> >does
> >
> >
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>it
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>>>>>still rebuild the message? I may well be able to stop it doing
> >>>>>>>>>>
> >>>>>>>>>>
> >that
> >
> >
> >>>>>>>>>>
> >>>>>>>>>>
> >>>if
> >>>
> >>>
> >>>
> >>>
> >>>>>>>>>>it is.
> >>>>>>>>>>
> >>>>>>>>>>Roger Jochem wrote:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>Too bad...
> >>>>>>>>>>>
> >>>>>>>>>>>In this case I would have to disable the Phising Detection...
> >>>>>>>>>>>
> >>>>>>>>>>>Could you consider doing an option of blocking, forwarding,
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>deleting
> >>>
> >>>
> >>>
> >>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>the
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>>>>phishing mails instead of changing the content of it (like
spam)?
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>The
> >>>
> >>>
> >>>
> >>>
> >>>>>>>>>>>phishing mails found by clamav are already treated as virus,
not
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>forwarded,
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>>so I don't see any problem in blocking MailScanner's too... And
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>this
> >>>
> >>>
> >>>
> >>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>would
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>>be and option, some users would send the message with the
changed
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>body,
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>>>>>>another ones would block them. They could be sended to an
single
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>account
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>>>>with a modified subject like it's already done with spam, maybe
> >>>>>>>>>>>"{Phishing?}".
> >>>>>>>>>>>
> >>>>>>>>>>>Another option would be to MailScanner modify only the header
of
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>the
> >>>
> >>>
> >>>
> >>>
> >>>>>>>>>>>message, instead of the body, putting the "{Phishing?}" before
> >>>>>>>>>>>
> >>>>>>>>>>>
> >the
> >
> >
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>mail
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>>>>>>subject...
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>>Yes. It's the message being rebuilt by MailScanner. Outlook
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>Express
> >>>
> >>>
> >>>
> >>>
> >>>>>>>>>>>>shouldn't be sending these things out as Quoted Printable, but
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >use
> >
> >
> >>>>>>>>>>>>base64 instead. This one is *very* hard for me to solve. We
have
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>already
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>>>>>put in an exception for most PDF files, these look like more
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>problems.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>>>>>>>Roger Jochem wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>Hello, Julian!
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>I made some tests with MailScanner to find out the problem
with
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>my
> >>>
> >>>
> >>>
> >>>
> >>>>>>>>>>>>>Outlook Express Quoted Printable attachments that change size
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >and
> >
> >
> >>>>>>>>>>>>>format (between DOS and UNIX). I find out that if I disable
the
> >>>>>>>>>>>>>Phishing Detection the e-mails passes without any change to
the
> >>>>>>>>>>>>>attachment, and if I enable the Phishing Detection again, the
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>file
> >>>
> >>>
> >>>
> >>>
> >>>>>>>>>>>>>comes with the wrokg size and converted to Unix. Makes sense?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>--
> >>>>>>>>>>Julian Field
> >>>>>>>>>>www.MailScanner.info
> >>>>>>>>>>Buy the MailScanner book at www.MailScanner.info/store
> >>>>>>>>>>
> >>>>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >>>>>>>>>>
> >>>>>>>>>>------------------------ MailScanner
list ------------------------
> >>>>>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>>>>>>>>'leave mailscanner' in the body of the email.
> >>>>>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and
> >>>>>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>>>>>>>
> >>>>>>>>>>Support MailScanner development - buy the book off the website!
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>------------------------ MailScanner
list ------------------------
> >>>>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>>>>>>>'leave mailscanner' in the body of the email.
> >>>>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and
> >>>>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>>>>>>
> >>>>>>>>>Support MailScanner development - buy the book off the website!
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>--
> >>>>>>>>Julian Field
> >>>>>>>>www.MailScanner.info
> >>>>>>>>Buy the MailScanner book at www.MailScanner.info/store
> >>>>>>>>
> >>>>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >>>>>>>>
> >>>>>>>>------------------------ MailScanner list ------------------------
> >>>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>>>>>>'leave mailscanner' in the body of the email.
> >>>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>>>>>
> >>>>>>>>Support MailScanner development - buy the book off the website!
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>------------------------ MailScanner list ------------------------
> >>>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>>>>>'leave mailscanner' in the body of the email.
> >>>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>>>>
> >>>>>>>Support MailScanner development - buy the book off the website!
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>--
> >>>>>>Julian Field
> >>>>>>www.MailScanner.info
> >>>>>>Buy the MailScanner book at www.MailScanner.info/store
> >>>>>>Professional Support Services at www.MailScanner.biz
> >>>>>>MailScanner thanks transtec Computers for their support
> >>>>>>
> >>>>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >>>>>>
> >>>>>>------------------------ MailScanner list ------------------------
> >>>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>>>>'leave mailscanner' in the body of the email.
> >>>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>>>
> >>>>>>Support MailScanner development - buy the book off the website!
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>------------------------ MailScanner list ------------------------
> >>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>>>'leave mailscanner' in the body of the email.
> >>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>>
> >>>>>Support MailScanner development - buy the book off the website!
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>--
> >>>>Julian Field
> >>>>www.MailScanner.info
> >>>>Buy the MailScanner book at www.MailScanner.info/store
> >>>>Professional Support Services at www.MailScanner.biz
> >>>>MailScanner thanks transtec Computers for their support
> >>>>
> >>>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >>>>
> >>>>------------------------ MailScanner list ------------------------
> >>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>>'leave mailscanner' in the body of the email.
> >>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>
> >>>>Support MailScanner development - buy the book off the website!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>------------------------ MailScanner list ------------------------
> >>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>'leave mailscanner' in the body of the email.
> >>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>
> >>>Support MailScanner development - buy the book off the website!
> >>>
> >>>
> >>>
> >>>
> >>>
> >>--
> >>Julian Field
> >>www.MailScanner.info
> >>Buy the MailScanner book at www.MailScanner.info/store
> >>Professional Support Services at www.MailScanner.biz
> >>MailScanner thanks transtec Computers for their support
> >>
> >>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >>
> >>------------------------ MailScanner list ------------------------
> >>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>'leave mailscanner' in the body of the email.
> >>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>
> >>Support MailScanner development - buy the book off the website!
> >>
> >>
> >
> >------------------------ MailScanner list ------------------------
> >To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >'leave mailscanner' in the body of the email.
> >Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> >Support MailScanner development - buy the book off the website!
> >
> >
> >
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list