Phishing problem.

Tony Enderby tenderby at MAILWASH.COM.AU
Mon Nov 28 13:02:44 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Martin,

Updating said perl module at the moment and please excuse my ignorance but 
where does MS dump debug info?

Tony.
----- Original Message ----- 
From: "Martin Hepworth" <martinh at SOLID-STATE-LOGIC.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Monday, November 28, 2005 11:31 PM
Subject: Re: Phishing problem.


> Tony
>
> Well for starters upgrade net::DNS to some more modern and you'll get 
> extra
> SA checks working...
>
> Then I'd post the URL to the debug out so Jules can peruse it..
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>> Behalf Of Tony Enderby
>> Sent: 28 November 2005 12:08
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: [MAILSCANNER] Phishing problem.
>>
>> Julian,
>>
>> Ok, result from debug output at the terminal was this .. if there's
>> another dump file with debug info in it let me know and I'll post the
>> output from that.  This terminal output was generated when I sent a
>> phishing trigger.
>>
>> Starting MailScanner daemons:
>>          incoming sendmail:                                [  OK  ]
>>          outgoing sendmail:                                [  OK  ]
>>          MailScanner:       In Debugging mode, not forking...
>> SA bayes lock is /root/.spamassassin/bayes.lock
>> Bayes lock is at /root/.spamassassin/bayes.lock
>> Net::DNS version is 0.23, but need 0.34dnsavailable-1 at
>> /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/Dns.pm line 1230.
>> Done the parse. Counter = 0 and max = 200
>> commit ineffective with AutoCommit enabled at
>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
>> <CLIENT> line 42.
>> Commmit ineffective while AutoCommit is on at
>> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
>> <CLIENT> line 42.
>> Stopping now as you are debugging me.
>>
>>
>> ----- Original Message -----
>> From: Julian Field <mailto:MailScanner at ECS.SOTON.AC.UK>
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Sent: Monday, November 28, 2005 10:56 PM
>> Subject: Re: Phishing problem.
>>
>>
>> Yes, it's always worth trying. Certainly no reason not to.
>>
>> On 28 Nov 2005, at 11:44, Tony Enderby wrote:
>>
>>
>>
>> Julian,
>>
>> Made the requested change to MailScanner.conf and then
>> attempted to trigger with a well formed phish and the subject was not
>> modified to insert (Fraud?)
>>
>> Would running MS in debug mode as Martin suggested be
>> worthwhile?
>>
>> Tony.
>>
>> ----- Original Message -----
>> From: <mailto:MailScanner at ECS.SOTON.AC.UK> Julian
> Field
>> To: <mailto:MAILSCANNER at JISCMAIL.AC.UK>
>> MAILSCANNER at JISCMAIL.AC.UK
>> Sent: Monday, November 28, 2005 10:00 PM
>> Subject: Re: Phishing problem.
>>
>> Try setting "Phishing Modify Subject = yes" in
>> MailScanner.conf and let me know what happens. I have an idea of what it
>> might be. At some point in the last month or 2, CVS "lost" an edit (CVS 
>> is
>> the package that manages the source code tree). MessageBatch.pm was
>> therefore missing a function.
>>
>> Upgrade to the latest beta and let me know what
> happens.
>> This may well fix it.
>>
>> On 28 Nov 2005, at 10:45, Tony Enderby wrote:
>>
>>
>>
>> Hi All,
>>
>> I have read some posts in the list archive
>> regarding phishing fraud detection and one in particular about a user who
>> couldn't get the functionality working but there was no definitive answer
>> so I thought I'd ask again.
>>
>> I have been unable to get phishing detection
> to
>> trigger (insert highlight) with MS v 4.47.4 or the two previous stable
>> releases.   I have dangerous content scanning set to on and although
>> originally had 'find phishing fraud" set to a ruleset, have also tried
>> hard coding to '"yes" both with the same result.
>>
>> I have tried manually firing the phishing
>> detection by sending hand coded html email from various external sources
>> (not on phishing whitelist) with disparate text and URL links, and also
>> copied examples from various "phishing sample" websites.  The numeric
>> phishing detection does also not seem to work with the most simple email
>> I've compiled and sent containing the following entry <a href=
>> <http://203.203.45.45> MailScanner has detected a possible fraud attempt
>> from "203.203.45.45" claiming to be numericlinkwarning
>> http://203.203.45.45> <http://www.test.net> http://www.test.net</a> but 
>> MS
>> lets them through without inserting the warning.
>>
>> The folloing entries appears in my
>> MailScanner.conf
>>
>> Find Phishing Fraud = yes
>> Also Find Numeric Phishing = yes
>> Highlight Phishing Fraud = yes
>>
>> A copy of terminal output from MailScanner
> -v is
>> included below in the hope that maybe I'm missing some HTML parser module
>> which is required to do the phishing checks.
>>
>>
>> Any help would be much appreciated.
>>
>> Tony.
>>
>> This is Perl version 5.008005 (5.8.5)
>>
>> This is MailScanner version 4.47.4
>> Module versions are:
>> 1.00    AnyDBM_File
>> 1.14    Archive::Zip
>> 1.03    Carp
>> 1.119   Convert::BinHex
>> 1.00    DirHandle
>> 1.05    Fcntl
>> 2.73    File::Basename
>> 2.08    File::Copy
>> 2.01    FileHandle
>> 1.06    File::Path
>> 0.14    File::Temp
>> 1.29    HTML::Entities
>> 3.45    HTML::Parser
>> 2.30    HTML::TokeParser
>> 1.21    IO
>> 1.10    IO::File
>> 1.123   IO::Pipe
>> 1.50    Mail::Header
>> 3.05    MIME::Base64
>> 5.417   MIME::Decoder
>> 5.417   MIME::Decoder::UU
>> 5.417   MIME::Head
>> 5.417   MIME::Parser
>> 3.03    MIME::QuotedPrint
>> 5.417   MIME::Tools
>> 0.10    Net::CIDR
>> 1.08    POSIX
>> 1.77    Socket
>> 0.05    Sys::Syslog
>> 1.02    Time::localtime
>>
>> Optional module versions are:
>> 0.17    Convert::TNEF
>> 1.809   DB_File
>> 1.08    Digest
>> 1.01    Digest::HMAC
>> 2.33    Digest::MD5
>> 2.01    Digest::SHA1
>> missing Inline
>> missing Mail::ClamAV
>> 3.000004        Mail::SpamAssassin
>> missing Mail::SPF::Query
>> missing Net::CIDR::Lite
>> 0.23    Net::DNS
>> 0.31    Net::LDAP
>> missing Parse::RecDescent
>> missing SAVI
>> missing Sys::Hostname::Long
>> 2.42    Test::Harness
>> 0.47    Test::Simple
>> 1.95    Text::Balanced
>> 1.19    URI
>>
>>
>> ------------------------ MailScanner list
> --------
>> ----------------
>> To unsubscribe, email
> jiscmail at jiscmail.ac.uk with
>> the words:
>> 'leave mailscanner' in the body of the
> email.
>> Before posting, read the Wiki (
>> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
>> and the archives (
>> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
>> http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the
> book off
>> the website!
>>
>>
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at
>> <http://www.MailScanner.info/store> www.MailScanner.info/store
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6
> 5947
>> 1415 B654
>>
>>
>> ------------------------ MailScanner list
> --------------
>> ----------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with
> the
>> words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (
>> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
>> and the archives (
>> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
>> http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off
> the
>> website!
>>
>>
>>
>> ------------------------ MailScanner list
> --------------------
>> ----
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the
> words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (
>> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
>> and the archives (
>> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
>> http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the
>> website!
>>
>>
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/)
>> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/)
>> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> -----------------------------------------------------------------------------------
> This message has been scanned by Mailwash Australia.
>
> Premier Anti-Virus, Anti-Spam and Identity Theft protection
> for Corporations and End Users.
>
> Log into http://www.mailwash.com.au to check your message
> store for blocked content.
>
> Please visit http://www.mailwash.com.au for an overview.
> -----------------------------------------------------------------------------------
> 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list