Message strangeness from ZDnet

Julian Field MailScanner at ecs.soton.ac.uk
Thu Mar 17 07:52:20 GMT 2005 

    [ The following text is in the "UTF-8" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

My best guess is that they were either part of a form, or were IFrames.
As shipped, MailScanner disarms IFrames (they have been used in *so*
many attacks!). You can set more of the "Log" options to "yes" to see
more in your logs.

The phishing fraud detector did exactly what it was supposed to, and yes
you probably should just add chkpt.zdnet.com to your
phishing.safe.sites.conf file.

James Gray wrote:

>I subscribe to a couple of ZDnet news letters.  Unfortunately, they are
>being screwed up by "something" and I'm pretty sure that "something" is
>MailScanner.  By screwed up I mean this:
>http://files.grayonline.id.au/screen-shot.png  (158Kb)
>
>In short - the text for each story has been wiped out :(  When I look at the
>message source, all the story texts have been replaced with either:
><!-- //# -->   or
><!-- # -->
>
>The only things MailScanner picked up were a phishing fraud (but that was
>displayed properly), and something about disarming HTML.
>
>Here's what the mail log says (host, process name and PID editted out):
>Mar 17 13:42:23 New Batch: Scanning 1 messages, 23008 bytes
>Mar 17 13:42:23 MCP Checks completed at 23008 bytes per second
>Mar 17 13:42:23 Spam Checks: Starting
>Mar 17 13:42:23 Message 1DBkxp-0005DE-00 from 210.193.131.43
>                (newsletters at newsletters.zdnet.com.au) is whitelisted
>Mar 17 13:42:32 Message 1DBkxp-0005DE-00 from 210.193.131.43
>                (newsletters at newsletters.zdnet.com.au) to grayonline.id.au
>                is not spam (whitelisted), SpamAssassin (score=-10.663,
>                required 5, autolearn=not spam, AWL 2.86, BAYES_00 -2.60,
>                FROM_ZDNET_AU -15.00, HTML_80_90 0.15, HTML_FONT_BIG 0.14,
>                HTML_FONT_INVISIBLE 0.04, HTML_MESSAGE 0.00, MIME_HTML_ONLY
>                0.18, URI_PROMO_ADJ 0.61, URI_REDIRECTOR 0.01,
>                URI_SUS_DYNAMIC 2.96)
>Mar 17 13:42:32 Spam Checks completed at 2556 bytes per second
>Mar 17 13:42:32 Virus and Content Scanning: Starting
>Mar 17 13:42:34 Virus Scanning completed at 11504 bytes per second
>Mar 17 13:42:34 Found phishing fraud from chkpt.zdnet.com claiming to be
>                www.aiia.com.au in 1DBkxp-0005DE-00
>Mar 17 13:42:34 Content Checks: Detected and have disarmed HTML message in
>                1DBkxp-0005DE-00 from newsletters at newsletters.zdnet.com.au
>Mar 17 13:42:34 Uninfected: Delivered 1 messages
>Mar 17 13:42:34 Virus Processing completed at 23008 bytes per second
>Mar 17 13:42:34 Disinfection completed at 23008 bytes per second
>Mar 17 13:42:34 Batch completed at 2091 bytes per second (23008 / 11)
>
>Notice the "Content Checks:" at 13:42:34 - what did it disarm and how do I
>stop it?  I know this will involve a set of rules but which option in
>MailScanner.conf controls it??  I've added the "chkpt.zdnet.com" to the
>phishing.safe.sites.conf but I have to wait for the next news letter to see
>if that fixes anything.
>
>All thoughts, observations and suggestions welcome :)
>
>Cheers,
>
>James
>--
>He had that rare weird electricity about him -- that extremely wild and
>heavy presence that you only see in a person who has abandoned all hope
>of ever behaving "normally."
>                -- Hunter S. Thompson, "Fear and Loathing '72"
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list