Phishing detection and outbind:

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jul 21 19:36:23 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I've added it, it will be in the next release.

Paul Haldane wrote:

>4.43.2-1 (it's the systems that Quentin looks after - I just happen to be interested in this particular question :->).
>
>Paul
>
>  
>
>>-----Original Message-----
>>From: Julian Field
>>Sent: 21 July 2005 16:40
>>To: MailScanner mailing list
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>What version of MailScanner are you using?
>>
>>On 21 Jul 2005, at 11:53, Paul Haldane wrote:
>>
>>    
>>
>>>We've got an issue (I don't like to call it a problem because 
>>>MailScanner is doing the right thing :->) with messages 
>>>      
>>>
>>from Outlook 
>>    
>>
>>>clients (I believe it's always Outlook) containing things like 
>>>www.ncl.ac.uk (as opposed to properly formed URLs like
>>>http://www.ncl.ac.uk/) and the phishing detection code.
>>>
>>>
>>>Here's an example (after going passing through MailScanner 
>>>      
>>>
>>- haven't 
>>    
>>
>>>yet managed to capture an untouched version) ...
>>>
>>>
>>>      
>>>
>>>>programme has been developed. This is available on the website - 
>>>><outbind://22/www.ncl.ac.uk/internal/e2r>
>>>>MailScanner has detected a possible fraud attempt from "outbind:"
>>>>claiming to be www.ncl.ac.uk/internal/e2r
>>>>
>>>>        
>>>>
>>>I've tried (quite hard) to persuade Outlook to generate messages 
>>>containing outbind hrefs but haven't yet managed so either 
>>>      
>>>
>>it's not as 
>>    
>>
>>>simple as I thought or the version/setup of Outlook I'm 
>>>      
>>>
>>using doesn't 
>>    
>>
>>>do it.
>>>
>>>Does anyone know exactly how to provoke this behaviour (and by 
>>>implication how to avoid it)?
>>>
>>>Would it be sensible/possible to treat this sort of URL specially 
>>>(stripping off ^outbind://\d+/ ?) so that the phishing code 
>>>      
>>>
>>is happy 
>>    
>>
>>>with it?
>>>      
>>>
>>- --
>>Julian Field
>>www.MailScanner.info
>>Buy the MailScanner book at www.MailScanner.info/store PGP 
>>footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: PGP Desktop 9.0.1 (Build 2185)
>>
>>iQA/AwUBQt/B6BH2WUcUFbZUEQKyWgCgsc31HuQIyK/iCPOB/dz7pcvaZ/EAn1e1
>>YVWmLEiUo41+K6Q5nPtcaf/7
>>=xWD3
>>-----END PGP SIGNATURE-----
>>    
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>  
>

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list