Phishing problem.

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Mon Nov 28 12:31:40 GMT 2005 

Tony

Well for starters upgrade net::DNS to some more modern and you'll get extra
SA checks working...

Then I'd post the URL to the debug out so Jules can peruse it..

--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Tony Enderby
> Sent: 28 November 2005 12:08
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: [MAILSCANNER] Phishing problem.
> 
> Julian,
> 
> Ok, result from debug output at the terminal was this .. if there's
> another dump file with debug info in it let me know and I'll post the
> output from that.  This terminal output was generated when I sent a
> phishing trigger.
> 
> Starting MailScanner daemons:
>          incoming sendmail:                                [  OK  ]
>          outgoing sendmail:                                [  OK  ]
>          MailScanner:       In Debugging mode, not forking...
> SA bayes lock is /root/.spamassassin/bayes.lock
> Bayes lock is at /root/.spamassassin/bayes.lock
> Net::DNS version is 0.23, but need 0.34dnsavailable-1 at
> /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/Dns.pm line 1230.
> Done the parse. Counter = 0 and max = 200
> commit ineffective with AutoCommit enabled at
> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
> <CLIENT> line 42.
> Commmit ineffective while AutoCommit is on at
> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
> <CLIENT> line 42.
> Stopping now as you are debugging me.
> 
> 
> 	----- Original Message -----
> 	From: Julian Field <mailto:MailScanner at ECS.SOTON.AC.UK>
> 	To: MAILSCANNER at JISCMAIL.AC.UK
> 	Sent: Monday, November 28, 2005 10:56 PM
> 	Subject: Re: Phishing problem.
> 
> 
> 	Yes, it's always worth trying. Certainly no reason not to.
> 
> 	On 28 Nov 2005, at 11:44, Tony Enderby wrote:
> 
> 
> 
> 		Julian,
> 
> 		Made the requested change to MailScanner.conf and then
> attempted to trigger with a well formed phish and the subject was not
> modified to insert (Fraud?)
> 
> 		Would running MS in debug mode as Martin suggested be
> worthwhile?
> 
> 		Tony.
> 
> 			----- Original Message -----
> 			From: <mailto:MailScanner at ECS.SOTON.AC.UK> Julian
Field
> 			To: <mailto:MAILSCANNER at JISCMAIL.AC.UK>
> MAILSCANNER at JISCMAIL.AC.UK
> 			Sent: Monday, November 28, 2005 10:00 PM
> 			Subject: Re: Phishing problem.
> 
> 			Try setting "Phishing Modify Subject = yes" in
> MailScanner.conf and let me know what happens. I have an idea of what it
> might be. At some point in the last month or 2, CVS "lost" an edit (CVS is
> the package that manages the source code tree). MessageBatch.pm was
> therefore missing a function.
> 
> 			Upgrade to the latest beta and let me know what
happens.
> This may well fix it.
> 
> 			On 28 Nov 2005, at 10:45, Tony Enderby wrote:
> 
> 
> 
> 				Hi All,
> 
> 				I have read some posts in the list archive
> regarding phishing fraud detection and one in particular about a user who
> couldn't get the functionality working but there was no definitive answer
> so I thought I'd ask again.
> 
> 				I have been unable to get phishing detection
to
> trigger (insert highlight) with MS v 4.47.4 or the two previous stable
> releases.   I have dangerous content scanning set to on and although
> originally had 'find phishing fraud" set to a ruleset, have also tried
> hard coding to '"yes" both with the same result.
> 
> 				I have tried manually firing the phishing
> detection by sending hand coded html email from various external sources
> (not on phishing whitelist) with disparate text and URL links, and also
> copied examples from various "phishing sample" websites.  The numeric
> phishing detection does also not seem to work with the most simple email
> I've compiled and sent containing the following entry <a href=
> <http://203.203.45.45> MailScanner has detected a possible fraud attempt
> from "203.203.45.45" claiming to be numericlinkwarning
> http://203.203.45.45> <http://www.test.net> http://www.test.net</a> but MS
> lets them through without inserting the warning.
> 
> 				The folloing entries appears in my
> MailScanner.conf
> 
> 				Find Phishing Fraud = yes
> 				Also Find Numeric Phishing = yes
> 				Highlight Phishing Fraud = yes
> 
> 				A copy of terminal output from MailScanner
-v is
> included below in the hope that maybe I'm missing some HTML parser module
> which is required to do the phishing checks.
> 
> 
> 				Any help would be much appreciated.
> 
> 				Tony.
> 
> 				This is Perl version 5.008005 (5.8.5)
> 
> 				This is MailScanner version 4.47.4
> 				Module versions are:
> 				1.00    AnyDBM_File
> 				1.14    Archive::Zip
> 				1.03    Carp
> 				1.119   Convert::BinHex
> 				1.00    DirHandle
> 				1.05    Fcntl
> 				2.73    File::Basename
> 				2.08    File::Copy
> 				2.01    FileHandle
> 				1.06    File::Path
> 				0.14    File::Temp
> 				1.29    HTML::Entities
> 				3.45    HTML::Parser
> 				2.30    HTML::TokeParser
> 				1.21    IO
> 				1.10    IO::File
> 				1.123   IO::Pipe
> 				1.50    Mail::Header
> 				3.05    MIME::Base64
> 				5.417   MIME::Decoder
> 				5.417   MIME::Decoder::UU
> 				5.417   MIME::Head
> 				5.417   MIME::Parser
> 				3.03    MIME::QuotedPrint
> 				5.417   MIME::Tools
> 				0.10    Net::CIDR
> 				1.08    POSIX
> 				1.77    Socket
> 				0.05    Sys::Syslog
> 				1.02    Time::localtime
> 
> 				Optional module versions are:
> 				0.17    Convert::TNEF
> 				1.809   DB_File
> 				1.08    Digest
> 				1.01    Digest::HMAC
> 				2.33    Digest::MD5
> 				2.01    Digest::SHA1
> 				missing Inline
> 				missing Mail::ClamAV
> 				3.000004        Mail::SpamAssassin
> 				missing Mail::SPF::Query
> 				missing Net::CIDR::Lite
> 				0.23    Net::DNS
> 				0.31    Net::LDAP
> 				missing Parse::RecDescent
> 				missing SAVI
> 				missing Sys::Hostname::Long
> 				2.42    Test::Harness
> 				0.47    Test::Simple
> 				1.95    Text::Balanced
> 				1.19    URI
> 
> 
> 				------------------------ MailScanner list
--------
> ----------------
> 				To unsubscribe, email
jiscmail at jiscmail.ac.uk with
> the words:
> 				'leave mailscanner' in the body of the
email.
> 				Before posting, read the Wiki (
> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
> 				and the archives (
> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
> http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> 				Support MailScanner development - buy the
book off
> the website!
> 
> 
> 
> 			--
> 			Julian Field
> 			www.MailScanner.info
> 			Buy the MailScanner book at
> <http://www.MailScanner.info/store> www.MailScanner.info/store
> 			PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6
5947
> 1415 B654
> 
> 
> 			------------------------ MailScanner list
--------------
> ----------
> 			To unsubscribe, email jiscmail at jiscmail.ac.uk with
the
> words:
> 			'leave mailscanner' in the body of the email.
> 			Before posting, read the Wiki (
> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
> 			and the archives (
> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
> http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> 			Support MailScanner development - buy the book off
the
> website!
> 
> 
> 
> 		------------------------ MailScanner list
--------------------
> ----
> 		To unsubscribe, email jiscmail at jiscmail.ac.uk with the
words:
> 		'leave mailscanner' in the body of the email.
> 		Before posting, read the Wiki (
> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
> 		and the archives (
> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
> http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> 		Support MailScanner development - buy the book off the
> website!
> 
> 
> 
> 	--
> 	Julian Field
> 	www.MailScanner.info
> 	Buy the MailScanner book at www.MailScanner.info/store
> 	PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> 
> 
> 	------------------------ MailScanner list ------------------------
> 	To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 	'leave mailscanner' in the body of the email.
> 	Before posting, read the Wiki (http://wiki.mailscanner.info/)
> 	and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> 	Support MailScanner development - buy the book off the website!
> 
> 
> 
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/)
> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!



**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list