Message strangeness from ZDnet

Rakesh rakesh at NETCORE.CO.IN
Fri Mar 18 06:17:40 GMT 2005 

    [ The following text is in the "UTF-8" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Well just an alert, whitelisting chkpt.zdnet.com in your
phishing.safe.sites.conf  might be a bit risky. I just came across this
link which serves as Open redirector for chkpt.zdnet.com.  Just click on
the link below to get redirection to the MailScanner site from Zdnet.
You can also replace www.mailscanner.info with your favourite site to
get the redirection. MailScanner phishing fraud is probably doing the
right thing on trapping down this kind of redirector.

http://chkpt.zdnet.com/chkpt/wenot/www.mailscanner.info/


Till this redirector is fixed, whitelisting it may be a bit risky.

Julian Field wrote:

> My best guess is that they were either part of a form, or were IFrames.
> As shipped, MailScanner disarms IFrames (they have been used in *so*
> many attacks!). You can set more of the "Log" options to "yes" to see
> more in your logs.
>
> The phishing fraud detector did exactly what it was supposed to, and yes
> you probably should just add chkpt.zdnet.com to your
> phishing.safe.sites.conf file.
>
> James Gray wrote:
>
>> I subscribe to a couple of ZDnet news letters.  Unfortunately, they are
>> being screwed up by "something" and I'm pretty sure that "something" is
>> MailScanner.  By screwed up I mean this:
>> http://files.grayonline.id.au/screen-shot.png  (158Kb)
>>
>> In short - the text for each story has been wiped out :(  When I look
>> at the
>> message source, all the story texts have been replaced with either:
>> <!-- //# -->   or
>> <!-- # -->
>>
>> The only things MailScanner picked up were a phishing fraud (but that
>> was
>> displayed properly), and something about disarming HTML.
>>
>> Mar 17 13:42:34 Found phishing fraud from chkpt.zdnet.com claiming to be
>>                www.aiia.com.au in 1DBkxp-0005DE-00
>> Mar 17 13:42:34 Content Checks: Detected and have disarmed HTML
>> message in
>>                1DBkxp-0005DE-00 from
>> newsletters at newsletters.zdnet.com.au
>>
>> Notice the "Content Checks:" at 13:42:34 - what did it disarm and how
>> do I
>> stop it?  I know this will involve a set of rules but which option in
>> MailScanner.conf controls it??  I've added the "chkpt.zdnet.com" to the
>> phishing.safe.sites.conf but I have to wait for the next news letter
>> to see
>> if that fixes anything.
>

--
Regards,
Rakesh B. Pal
Emergic CleanMail Team.
Netcore Solutions Pvt. Ltd.

========================================================================
"First they ignore you. Then they laugh at you.
Then they fight you. Then you win."
                                                - M. Gandhi
========================================================================

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list