Message strangeness from ZDnet

James Gray james at GRAYONLINE.ID.AU
Thu Mar 17 03:28:47 GMT 2005


    [ The following text is in the "utf-8" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I subscribe to a couple of ZDnet news letters.  Unfortunately, they are
being screwed up by "something" and I'm pretty sure that "something" is
MailScanner.  By screwed up I mean this:
http://files.grayonline.id.au/screen-shot.png  (158Kb)

In short - the text for each story has been wiped out :(  When I look at the
message source, all the story texts have been replaced with either:
<!-- //# -->   or
<!-- # -->

The only things MailScanner picked up were a phishing fraud (but that was
displayed properly), and something about disarming HTML.

Here's what the mail log says (host, process name and PID editted out):
Mar 17 13:42:23 New Batch: Scanning 1 messages, 23008 bytes
Mar 17 13:42:23 MCP Checks completed at 23008 bytes per second
Mar 17 13:42:23 Spam Checks: Starting
Mar 17 13:42:23 Message 1DBkxp-0005DE-00 from 210.193.131.43
                (newsletters at newsletters.zdnet.com.au) is whitelisted
Mar 17 13:42:32 Message 1DBkxp-0005DE-00 from 210.193.131.43
                (newsletters at newsletters.zdnet.com.au) to grayonline.id.au
                is not spam (whitelisted), SpamAssassin (score=-10.663,
                required 5, autolearn=not spam, AWL 2.86, BAYES_00 -2.60,
                FROM_ZDNET_AU -15.00, HTML_80_90 0.15, HTML_FONT_BIG 0.14,
                HTML_FONT_INVISIBLE 0.04, HTML_MESSAGE 0.00, MIME_HTML_ONLY
                0.18, URI_PROMO_ADJ 0.61, URI_REDIRECTOR 0.01,
                URI_SUS_DYNAMIC 2.96)
Mar 17 13:42:32 Spam Checks completed at 2556 bytes per second
Mar 17 13:42:32 Virus and Content Scanning: Starting
Mar 17 13:42:34 Virus Scanning completed at 11504 bytes per second
Mar 17 13:42:34 Found phishing fraud from chkpt.zdnet.com claiming to be
                www.aiia.com.au in 1DBkxp-0005DE-00
Mar 17 13:42:34 Content Checks: Detected and have disarmed HTML message in
                1DBkxp-0005DE-00 from newsletters at newsletters.zdnet.com.au
Mar 17 13:42:34 Uninfected: Delivered 1 messages
Mar 17 13:42:34 Virus Processing completed at 23008 bytes per second
Mar 17 13:42:34 Disinfection completed at 23008 bytes per second
Mar 17 13:42:34 Batch completed at 2091 bytes per second (23008 / 11)

Notice the "Content Checks:" at 13:42:34 - what did it disarm and how do I
stop it?  I know this will involve a set of rules but which option in
MailScanner.conf controls it??  I've added the "chkpt.zdnet.com" to the
phishing.safe.sites.conf but I have to wait for the next news letter to see
if that fixes anything.

All thoughts, observations and suggestions welcome :)

Cheers,

James
--
He had that rare weird electricity about him -- that extremely wild and
heavy presence that you only see in a person who has abandoned all hope
of ever behaving "normally."
                -- Hunter S. Thompson, "Fear and Loathing '72"

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list