phishing net suggestion

Mark Nienberg mark at TIPPINGMAR.COM
Wed Feb 23 05:59:46 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Darn.  Thanks for trying.  I guess I don't really understand how it
works.  I thought you were able to extract the information like you do
for the log.  Example:

Feb 22 21:51:42 gingham MailScanner[8357]: Found phishing fraud from
www.tippingmar.com claiming to be www.bank.com in j1N5pX2u008366

In this example you have both the display link and the actual link.

--Mark

Julian Field wrote:

> I've just taken a look at this problem. It would be a real pig to
> implement this. The way the HTML parser works makes this almost
> impossible, and I'm not about to rewrite someone else's entire HTML
> parser to use a different data structure.
>
> Sorry.
>
> The problem I hit was that getting rid of the opening <a> tag pointing
> to the phishing site cannot be removed. I managed pretty much all the
> rest of it. :-(
>
> Mark Nienberg wrote:
>
>> Hmm.  Maybe.  I'm currently running 4.37.7.  Are there more options in
>> the latest version or should I just play with the two settings in
>> "languages.conf" (PossibleFraudStart and PossibleFraudEnd)?
>>
>> Julian Field wrote:
>>
>>> Good idea. How much of this can actually be achieved by customising the
>>> currently available options and text strings (languages.conf) ?
>>>
>>> Mark Nienberg wrote:
>>>
>>>> Is there any chance an option could be added to the phishing net
>>>> feature
>>>> so when MailScanner dectects something like this:
>>>>
>>>> <a href="http://www.phishing.link">http://www.display.link</a>
>>>>
>>>> it replaces it with somethng like this:
>>>>
>>>> <a
>>>> href="http://www.mydomain.com/warning.php?link=www.phishing.link&display=www.display.link">http://www.display.link</a>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Then, if the user clicks on the link, he or she will be taken to a
>>>> dynamically generated (php or a perl cgi) page on our own website that
>>>> will explain the potential phishing attack, show the link as it
>>>> displays, and show the actual link.  It could include a working
>>>> link to
>>>> the actual link in case the user really wants to go there (or in
>>>> case of
>>>> false positive).  Help desk info, etc could also be included.
>>>>
>>>> It has the advantage that false positives are not even noticeable
>>>> unless
>>>> the user clicks on the link.  It allows a much better explanation of
>>>> what the possible problem is.  It could include links to general
>>>> information on the internet regarding phishing, etc.
>>>>
>>>> I suppose someone who runs a high volume website could even have a
>>>> generic page for other mailscaner admins to use if they don't have
>>>> their
>>>> own webserver set up.
>>>>
>>
>>
>> --
>> Mark Nienberg, SE
>> Tipping Mar + associates
>> 1906 Shattuck Ave
>> Berkeley, CA 94704
>> http://www.tippingmar.com
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list