Phishing detection and outbind:
Julian Field
MailScanner at ecs.soton.ac.uk
Thu Jul 21 19:36:23 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
I've added it, it will be in the next release.
Paul Haldane wrote:
>4.43.2-1 (it's the systems that Quentin looks after - I just happen to be interested in this particular question :->).
>
>Paul
>
>
>
>>-----Original Message-----
>>From: Julian Field
>>Sent: 21 July 2005 16:40
>>To: MailScanner mailing list
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>What version of MailScanner are you using?
>>
>>On 21 Jul 2005, at 11:53, Paul Haldane wrote:
>>
>>
>>
>>>We've got an issue (I don't like to call it a problem because
>>>MailScanner is doing the right thing :->) with messages
>>>
>>>
>>from Outlook
>>
>>
>>>clients (I believe it's always Outlook) containing things like
>>>www.ncl.ac.uk (as opposed to properly formed URLs like
>>>http://www.ncl.ac.uk/) and the phishing detection code.
>>>
>>>
>>>Here's an example (after going passing through MailScanner
>>>
>>>
>>- haven't
>>
>>
>>>yet managed to capture an untouched version) ...
>>>
>>>
>>>
>>>
>>>>programme has been developed. This is available on the website -
>>>><outbind://22/www.ncl.ac.uk/internal/e2r>
>>>>MailScanner has detected a possible fraud attempt from "outbind:"
>>>>claiming to be www.ncl.ac.uk/internal/e2r
>>>>
>>>>
>>>>
>>>I've tried (quite hard) to persuade Outlook to generate messages
>>>containing outbind hrefs but haven't yet managed so either
>>>
>>>
>>it's not as
>>
>>
>>>simple as I thought or the version/setup of Outlook I'm
>>>
>>>
>>using doesn't
>>
>>
>>>do it.
>>>
>>>Does anyone know exactly how to provoke this behaviour (and by
>>>implication how to avoid it)?
>>>
>>>Would it be sensible/possible to treat this sort of URL specially
>>>(stripping off ^outbind://\d+/ ?) so that the phishing code
>>>
>>>
>>is happy
>>
>>
>>>with it?
>>>
>>>
>>- --
>>Julian Field
>>www.MailScanner.info
>>Buy the MailScanner book at www.MailScanner.info/store PGP
>>footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: PGP Desktop 9.0.1 (Build 2185)
>>
>>iQA/AwUBQt/B6BH2WUcUFbZUEQKyWgCgsc31HuQIyK/iCPOB/dz7pcvaZ/EAn1e1
>>YVWmLEiUo41+K6Q5nPtcaf/7
>>=xWD3
>>-----END PGP SIGNATURE-----
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list