Phishing problem.

Tony Enderby tenderby at MAILWASH.COM.AU
Mon Nov 28 12:07:43 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian,
 
Ok, result from debug output at the terminal was this .. if there's
another dump file with debug info in it let me know and I'll post the
output from that.  This terminal output was generated when I sent a
phishing trigger.
 
Starting MailScanner daemons:
         incoming sendmail:                                [  OK  ]
         outgoing sendmail:                                [  OK  ]
         MailScanner:       In Debugging mode, not forking...
SA bayes lock is /root/.spamassassin/bayes.lock
Bayes lock is at /root/.spamassassin/bayes.lock
Net::DNS version is 0.23, but need 0.34dnsavailable-1 at
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/Dns.pm line 1230.
Done the parse. Counter = 0 and max = 200
commit ineffective with AutoCommit enabled at
/usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
<CLIENT> line 42.
Commmit ineffective while AutoCommit is on at
/usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
<CLIENT> line 42.
Stopping now as you are debugging me.
      ----- Original Message -----
From: Julian Field
To: MAILSCANNER at JISCMAIL.AC.UK
Sent: Monday, November 28, 2005 10:56 PM
Subject: Re: Phishing problem.

Yes, it's always worth trying. Certainly no reason not to.
On 28 Nov 2005, at 11:44, Tony Enderby wrote:

      Julian,
 
Made the requested change to MailScanner.conf and then
attempted to trigger with a well formed phish and the subject
was not modified to insert (Fraud?)
 
Would running MS in debug mode as Martin suggested be
worthwhile?
 
Tony.
      ----- Original Message -----
From: Julian Field
To: MAILSCANNER at JISCMAIL.AC.UK
Sent: Monday, November 28, 2005 10:00 PM
Subject: Re: Phishing problem.

Try setting "Phishing Modify Subject = yes" in
MailScanner.conf and let me know what happens. I have
an idea of what it might be. At some point in the last
month or 2, CVS "lost" an edit (CVS is the package that
manages the source code tree). MessageBatch.pm was
therefore missing a function.
Upgrade to the latest beta and let me know what
happens. This may well fix it.

On 28 Nov 2005, at 10:45, Tony Enderby wrote:

      Hi All,
 
I have read some posts in the list archive
regarding phishing fraud detection and one in
particular about a user who couldn't get the
functionality working but there was no definitive
answer so I thought I'd ask again.
 
I have been unable to get phishing detection to
trigger (insert highlight) with MS v 4.47.4 or
the two previous stable releases.   I have
dangerous content scanning set to on and although
originally had 'find phishing fraud" set to a
ruleset, have also tried hard coding to '"yes"
both with the same result.
 
I have tried manually firing the phishing
detection by sending hand coded html email from
various external sources (not on phishing
whitelist) with disparate text and URL links, and
also copied examples from various "phishing
sample" websites.  The numeric phishing detection
does also not seem to work with the most simple
email I've compiled and sent containing the
following entry <a href=MailScanner has detected
a possible fraud attempt from "203.203.45.45"
claiming to be numericlinkwarning
http://203.203.45.45>http://www.test.net</a> but
MS lets them through without inserting the
warning.
 
The folloing entries appears in my
MailScanner.conf
 
Find Phishing Fraud = yes
Also Find Numeric Phishing = yes
Highlight Phishing Fraud = yes
 
A copy of terminal output from MailScanner -v is
included below in the hope that maybe I'm missing
some HTML parser module which is required to do
the phishing checks.

Any help would be much appreciated.
 
Tony.
 
This is Perl version 5.008005 (5.8.5)
 
This is MailScanner version 4.47.4
Module versions are:
1.00    AnyDBM_File
1.14    Archive::Zip
1.03    Carp
1.119   Convert::BinHex
1.00    DirHandle
1.05    Fcntl
2.73    File::Basename
2.08    File::Copy
2.01    FileHandle
1.06    File::Path
0.14    File::Temp
1.29    HTML::Entities
3.45    HTML::Parser
2.30    HTML::TokeParser
1.21    IO
1.10    IO::File
1.123   IO::Pipe
1.50    Mail::Header
3.05    MIME::Base64
5.417   MIME::Decoder
5.417   MIME::Decoder::UU
5.417   MIME::Head
5.417   MIME::Parser
3.03    MIME::QuotedPrint
5.417   MIME::Tools
0.10    Net::CIDR
1.08    POSIX
1.77    Socket
0.05    Sys::Syslog
1.02    Time::localtime
 
Optional module versions are:
0.17    Convert::TNEF
1.809   DB_File
1.08    Digest
1.01    Digest::HMAC
2.33    Digest::MD5
2.01    Digest::SHA1
missing Inline
missing Mail::ClamAV
3.000004        Mail::SpamAssassin
missing Mail::SPF::Query
missing Net::CIDR::Lite
0.23    Net::DNS
0.31    Net::LDAP
missing Parse::RecDescent
missing SAVI
missing Sys::Hostname::Long
2.42    Test::Harness
0.47    Test::Simple
1.95    Text::Balanced
1.19    URI

------------------------ MailScanner list
------------------------
To unsubscribe,
email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki
(http://wiki.mailscanner.info/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html). 

Support MailScanner development - buy the book
off the website!


-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947
1415 B654


------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the
words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki
(http://wiki.mailscanner.info/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html). 

Support MailScanner development - buy the book off the
website!


------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html). 

Support MailScanner development - buy the book off the
website!


-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list