Phishing problem.

Julian Field MailScanner at ecs.soton.ac.uk
Mon Nov 28 11:56:58 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Yes, it's always worth trying. Certainly no reason not to.
On 28 Nov 2005, at 11:44, Tony Enderby wrote:

      Julian,
 
Made the requested change to MailScanner.conf and then attempted to
trigger with a well formed phish and the subject was not modified
to insert (Fraud?)
 
Would running MS in debug mode as Martin suggested be worthwhile?
 
Tony.
      ----- Original Message -----
From: Julian Field
To: MAILSCANNER at JISCMAIL.AC.UK
Sent: Monday, November 28, 2005 10:00 PM
Subject: Re: Phishing problem.

Try setting "Phishing Modify Subject = yes" in
MailScanner.conf and let me know what happens. I have an idea
of what it might be. At some point in the last month or 2,
CVS "lost" an edit (CVS is the package that manages the
source code tree). MessageBatch.pm was therefore missing a
function.
Upgrade to the latest beta and let me know what happens. This
may well fix it.

On 28 Nov 2005, at 10:45, Tony Enderby wrote:

      Hi All,
 
I have read some posts in the list archive regarding
phishing fraud detection and one in particular about a
user who couldn't get the functionality working but
there was no definitive answer so I thought I'd ask
again.
 
I have been unable to get phishing detection to trigger
(insert highlight) with MS v 4.47.4 or the two previous
stable releases.   I have dangerous content scanning
set to on and although originally had 'find phishing
fraud" set to a ruleset, have also tried hard coding to
'"yes" both with the same result.
 
I have tried manually firing the phishing detection by
sending hand coded html email from various external
sources (not on phishing whitelist) with disparate text
and URL links, and also copied examples from various
"phishing sample" websites.  The numeric phishing
detection does also not seem to work with the most
simple email I've compiled and sent containing the
following entry <a href=MailScanner has detected a
possible fraud attempt from "203.203.45.45" claiming to
be numericlinkwarning
http://203.203.45.45>http://www.test.net</a> but MS
lets them through without inserting the warning.
 
The folloing entries appears in my MailScanner.conf
 
Find Phishing Fraud = yes
Also Find Numeric Phishing = yes
Highlight Phishing Fraud = yes
 
A copy of terminal output from MailScanner -v is
included below in the hope that maybe I'm missing some
HTML parser module which is required to do the phishing
checks.

Any help would be much appreciated.
 
Tony.
 
This is Perl version 5.008005 (5.8.5)
 
This is MailScanner version 4.47.4
Module versions are:
1.00    AnyDBM_File
1.14    Archive::Zip
1.03    Carp
1.119   Convert::BinHex
1.00    DirHandle
1.05    Fcntl
2.73    File::Basename
2.08    File::Copy
2.01    FileHandle
1.06    File::Path
0.14    File::Temp
1.29    HTML::Entities
3.45    HTML::Parser
2.30    HTML::TokeParser
1.21    IO
1.10    IO::File
1.123   IO::Pipe
1.50    Mail::Header
3.05    MIME::Base64
5.417   MIME::Decoder
5.417   MIME::Decoder::UU
5.417   MIME::Head
5.417   MIME::Parser
3.03    MIME::QuotedPrint
5.417   MIME::Tools
0.10    Net::CIDR
1.08    POSIX
1.77    Socket
0.05    Sys::Syslog
1.02    Time::localtime
 
Optional module versions are:
0.17    Convert::TNEF
1.809   DB_File
1.08    Digest
1.01    Digest::HMAC
2.33    Digest::MD5
2.01    Digest::SHA1
missing Inline
missing Mail::ClamAV
3.000004        Mail::SpamAssassin
missing Mail::SPF::Query
missing Net::CIDR::Lite
0.23    Net::DNS
0.31    Net::LDAP
missing Parse::RecDescent
missing SAVI
missing Sys::Hostname::Long
2.42    Test::Harness
0.47    Test::Simple
1.95    Text::Balanced
1.19    URI

------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the
words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki
(http://wiki.mailscanner.info/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html). 

Support MailScanner development - buy the book off the
website!


-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415
B654


------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html). 

Support MailScanner development - buy the book off the
website!


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html). 

Support MailScanner development - buy the book off the website!


-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!


    [ Part 2, Application/PGP-SIGNATURE  498bytes. ]
    [ Unable to print this part. ]




More information about the MailScanner mailing list