Phishing detection and outbind:

[Paul Haldane]

We've got an issue (I don't like to call it a problem because MailScanner is doing the right thing :->) with messages from Outlook
clients (I believe it's always Outlook) containing things like www.ncl.ac.uk (as opposed to properly formed URLs like
http://www.ncl.ac.uk/) and the phishing detection code.


Here's an example (after going passing through MailScanner - haven't yet managed to capture an untouched version) ...

>programme has been developed. This is available on the website - 
><outbind://22/www.ncl.ac.uk/internal/e2r>
>MailScanner has detected a possible fraud attempt from "outbind:" 
>claiming to be www.ncl.ac.uk/internal/e2r

I've tried (quite hard) to persuade Outlook to generate messages containing outbind hrefs but haven't yet managed so either it's not
as simple as I thought or the version/setup of Outlook I'm using doesn't do it.

Does anyone know exactly how to provoke this behaviour (and by implication how to avoid it)?

Would it be sensible/possible to treat this sort of URL specially (stripping off ^outbind://\d+/ ?) so that the phishing code is
happy with it?

Paul
-- 
Paul Haldane
Unix Systems, Information Systems and Services, University of Newcastle upon Tyne

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!