New phishing tactic falling through the net

Julian Field MailScanner at ecs.soton.ac.uk
Tue Feb 22 13:50:43 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

John Wilcock wrote:

> Julian Field wrote:
>
>> Message.pm patch attached which implements this trap. That was a
>> toughie, took me 45 minutes!
>
>
> Not sure whether you're being sarcastic about the toughness or not :-)

No, it will was pretty nasty.

> Anyway, it doesn't seem to be working properly.

Damn, the example you sent me before worked just fine. Can you try that
example and see if it works for you?

The other thought is why don't I just ban imagemaps altogether. They
could be disarmed like everything else. Does anyone really need
imagemaps in email messages?

Thoughts?

>
> I sent it the following (telnetting in and making it up as I go along!):
>
>> <a href="http://www.example.yourbank.com/">
>> <map name="mymap"><area coords="0,0,100,100" shape="rect"
>> href="http://www.example.phisher.com/hook"></map>
>> <img src="http://whatever" usemap="#mymap"></a>
>
I just tried this one and it worked for me.
I got this:
<a href="http://www.example.yourbank.com/"><font
color="red"><b>MailScanner has detected a possible fraud attempt from
"www.example.phisher.com" claiming to be </b></font>
<map name="mymap"><area coords="0,0,100,100" shape="rect"
href="http://www.example.phisher.com/hook"></map>
<img src="http://whatever" usemap="#mymap"></a>

>>
>
> MS clearly noticed *something*, because there's an extra </map> in what
> I got back:
>
>> <a href="http://www.example.yourbank.com/"></map>
>> <map name="mymap"><area coords="0,0,100,100" shape="rect"
>> href="http://www.example.phisher.com/hook">
>> <img src="http://whatever" usemap="#mymap"></a>
>
>
> John.
>
> --
> -- Over 2500 webcams from ski resorts around the world - www.snoweye.com
> -- Translate your technical documents and web pages    - www.tradoc.fr
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list