Phishing problem.

Tony Enderby tenderby at MAILWASH.COM.AU
Mon Nov 28 14:26:17 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Martin,

The first debug session was configured with only the MS debug option set .. 
are you referring to the Spam Assassin debug flag as well?

Tony.

----- Original Message ----- 
From: "Martin Hepworth" <martinh at SOLID-STATE-LOGIC.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Tuesday, November 29, 2005 12:48 AM
Subject: Re: Phishing problem.


> Tony
>
> Should dump the screen.
>
> I presume you set BOTH debug statements in MailScanner.conf to true???
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>> Behalf Of Tony Enderby
>> Sent: 28 November 2005 13:03
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: [MAILSCANNER] Phishing problem.
>>
>> Martin,
>>
>> Updating said perl module at the moment and please excuse my ignorance 
>> but
>> where does MS dump debug info?
>>
>> Tony.
>> ----- Original Message -----
>> From: "Martin Hepworth" <martinh at SOLID-STATE-LOGIC.COM>
>> To: <MAILSCANNER at JISCMAIL.AC.UK>
>> Sent: Monday, November 28, 2005 11:31 PM
>> Subject: Re: Phishing problem.
>>
>>
>> > Tony
>> >
>> > Well for starters upgrade net::DNS to some more modern and you'll get
>> > extra
>> > SA checks working...
>> >
>> > Then I'd post the URL to the debug out so Jules can peruse it..
>> >
>> > --
>> > Martin Hepworth
>> > Snr Systems Administrator
>> > Solid State Logic
>> > Tel: +44 (0)1865 842300
>> >
>> >> -----Original Message-----
>> >> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>> >> Behalf Of Tony Enderby
>> >> Sent: 28 November 2005 12:08
>> >> To: MAILSCANNER at JISCMAIL.AC.UK
>> >> Subject: Re: [MAILSCANNER] Phishing problem.
>> >>
>> >> Julian,
>> >>
>> >> Ok, result from debug output at the terminal was this .. if there's
>> >> another dump file with debug info in it let me know and I'll post the
>> >> output from that.  This terminal output was generated when I sent a
>> >> phishing trigger.
>> >>
>> >> Starting MailScanner daemons:
>> >>          incoming sendmail:                                [  OK  ]
>> >>          outgoing sendmail:                                [  OK  ]
>> >>          MailScanner:       In Debugging mode, not forking...
>> >> SA bayes lock is /root/.spamassassin/bayes.lock
>> >> Bayes lock is at /root/.spamassassin/bayes.lock
>> >> Net::DNS version is 0.23, but need 0.34dnsavailable-1 at
>> >> /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/Dns.pm line 1230.
>> >> Done the parse. Counter = 0 and max = 200
>> >> commit ineffective with AutoCommit enabled at
>> >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
>> >> <CLIENT> line 42.
>> >> Commmit ineffective while AutoCommit is on at
>> >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93,
>> >> <CLIENT> line 42.
>> >> Stopping now as you are debugging me.
>> >>
>> >>
>> >> ----- Original Message -----
>> >> From: Julian Field <mailto:MailScanner at ECS.SOTON.AC.UK>
>> >> To: MAILSCANNER at JISCMAIL.AC.UK
>> >> Sent: Monday, November 28, 2005 10:56 PM
>> >> Subject: Re: Phishing problem.
>> >>
>> >>
>> >> Yes, it's always worth trying. Certainly no reason not to.
>> >>
>> >> On 28 Nov 2005, at 11:44, Tony Enderby wrote:
>> >>
>> >>
>> >>
>> >> Julian,
>> >>
>> >> Made the requested change to MailScanner.conf and then
>> >> attempted to trigger with a well formed phish and the subject was not
>> >> modified to insert (Fraud?)
>> >>
>> >> Would running MS in debug mode as Martin suggested be
>> >> worthwhile?
>> >>
>> >> Tony.
>> >>
>> >> ----- Original Message -----
>> >> From: <mailto:MailScanner at ECS.SOTON.AC.UK> Julian
>> > Field
>> >> To: <mailto:MAILSCANNER at JISCMAIL.AC.UK>
>> >> MAILSCANNER at JISCMAIL.AC.UK
>> >> Sent: Monday, November 28, 2005 10:00 PM
>> >> Subject: Re: Phishing problem.
>> >>
>> >> Try setting "Phishing Modify Subject = yes" in
>> >> MailScanner.conf and let me know what happens. I have an idea of what
>> it
>> >> might be. At some point in the last month or 2, CVS "lost" an edit 
>> >> (CVS
>> >> is
>> >> the package that manages the source code tree). MessageBatch.pm was
>> >> therefore missing a function.
>> >>
>> >> Upgrade to the latest beta and let me know what
>> > happens.
>> >> This may well fix it.
>> >>
>> >> On 28 Nov 2005, at 10:45, Tony Enderby wrote:
>> >>
>> >>
>> >>
>> >> Hi All,
>> >>
>> >> I have read some posts in the list archive
>> >> regarding phishing fraud detection and one in particular about a user
>> who
>> >> couldn't get the functionality working but there was no definitive
>> answer
>> >> so I thought I'd ask again.
>> >>
>> >> I have been unable to get phishing detection
>> > to
>> >> trigger (insert highlight) with MS v 4.47.4 or the two previous stable
>> >> releases.   I have dangerous content scanning set to on and although
>> >> originally had 'find phishing fraud" set to a ruleset, have also tried
>> >> hard coding to '"yes" both with the same result.
>> >>
>> >> I have tried manually firing the phishing
>> >> detection by sending hand coded html email from various external
>> sources
>> >> (not on phishing whitelist) with disparate text and URL links, and 
>> >> also
>> >> copied examples from various "phishing sample" websites.  The numeric
>> >> phishing detection does also not seem to work with the most simple
>> email
>> >> I've compiled and sent containing the following entry <a href=
>> >> <http://203.203.45.45> MailScanner has detected a possible fraud
>> attempt
>> >> from "203.203.45.45" claiming to be numericlinkwarning
>> >> http://203.203.45.45> <http://www.test.net> http://www.test.net</a> 
>> >> but
>> >> MS
>> >> lets them through without inserting the warning.
>> >>
>> >> The folloing entries appears in my
>> >> MailScanner.conf
>> >>
>> >> Find Phishing Fraud = yes
>> >> Also Find Numeric Phishing = yes
>> >> Highlight Phishing Fraud = yes
>> >>
>> >> A copy of terminal output from MailScanner
>> > -v is
>> >> included below in the hope that maybe I'm missing some HTML parser
>> module
>> >> which is required to do the phishing checks.
>> >>
>> >>
>> >> Any help would be much appreciated.
>> >>
>> >> Tony.
>> >>
>> >> This is Perl version 5.008005 (5.8.5)
>> >>
>> >> This is MailScanner version 4.47.4
>> >> Module versions are:
>> >> 1.00    AnyDBM_File
>> >> 1.14    Archive::Zip
>> >> 1.03    Carp
>> >> 1.119   Convert::BinHex
>> >> 1.00    DirHandle
>> >> 1.05    Fcntl
>> >> 2.73    File::Basename
>> >> 2.08    File::Copy
>> >> 2.01    FileHandle
>> >> 1.06    File::Path
>> >> 0.14    File::Temp
>> >> 1.29    HTML::Entities
>> >> 3.45    HTML::Parser
>> >> 2.30    HTML::TokeParser
>> >> 1.21    IO
>> >> 1.10    IO::File
>> >> 1.123   IO::Pipe
>> >> 1.50    Mail::Header
>> >> 3.05    MIME::Base64
>> >> 5.417   MIME::Decoder
>> >> 5.417   MIME::Decoder::UU
>> >> 5.417   MIME::Head
>> >> 5.417   MIME::Parser
>> >> 3.03    MIME::QuotedPrint
>> >> 5.417   MIME::Tools
>> >> 0.10    Net::CIDR
>> >> 1.08    POSIX
>> >> 1.77    Socket
>> >> 0.05    Sys::Syslog
>> >> 1.02    Time::localtime
>> >>
>> >> Optional module versions are:
>> >> 0.17    Convert::TNEF
>> >> 1.809   DB_File
>> >> 1.08    Digest
>> >> 1.01    Digest::HMAC
>> >> 2.33    Digest::MD5
>> >> 2.01    Digest::SHA1
>> >> missing Inline
>> >> missing Mail::ClamAV
>> >> 3.000004        Mail::SpamAssassin
>> >> missing Mail::SPF::Query
>> >> missing Net::CIDR::Lite
>> >> 0.23    Net::DNS
>> >> 0.31    Net::LDAP
>> >> missing Parse::RecDescent
>> >> missing SAVI
>> >> missing Sys::Hostname::Long
>> >> 2.42    Test::Harness
>> >> 0.47    Test::Simple
>> >> 1.95    Text::Balanced
>> >> 1.19    URI
>> >>
>> >>
>> >> ------------------------ MailScanner list
>> > --------
>> >> ----------------
>> >> To unsubscribe, email
>> > jiscmail at jiscmail.ac.uk with
>> >> the words:
>> >> 'leave mailscanner' in the body of the
>> > email.
>> >> Before posting, read the Wiki (
>> >> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
>> >> and the archives (
>> >> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
>> >> http://www.jiscmail.ac.uk/lists/mailscanner.html).
>> >>
>> >> Support MailScanner development - buy the
>> > book off
>> >> the website!
>> >>
>> >>
>> >>
>> >> --
>> >> Julian Field
>> >> www.MailScanner.info
>> >> Buy the MailScanner book at
>> >> <http://www.MailScanner.info/store> www.MailScanner.info/store
>> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6
>> > 5947
>> >> 1415 B654
>> >>
>> >>
>> >> ------------------------ MailScanner list
>> > --------------
>> >> ----------
>> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with
>> > the
>> >> words:
>> >> 'leave mailscanner' in the body of the email.
>> >> Before posting, read the Wiki (
>> >> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
>> >> and the archives (
>> >> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
>> >> http://www.jiscmail.ac.uk/lists/mailscanner.html).
>> >>
>> >> Support MailScanner development - buy the book off
>> > the
>> >> website!
>> >>
>> >>
>> >>
>> >> ------------------------ MailScanner list
>> > --------------------
>> >> ----
>> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the
>> > words:
>> >> 'leave mailscanner' in the body of the email.
>> >> Before posting, read the Wiki (
>> >> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
>> >> and the archives (
>> >> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
>> >> http://www.jiscmail.ac.uk/lists/mailscanner.html).
>> >>
>> >> Support MailScanner development - buy the book off the
>> >> website!
>> >>
>> >>
>> >>
>> >> --
>> >> Julian Field
>> >> www.MailScanner.info
>> >> Buy the MailScanner book at www.MailScanner.info/store
>> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> >>
>> >>
>> >> ------------------------ MailScanner list ------------------------
>> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> >> 'leave mailscanner' in the body of the email.
>> >> Before posting, read the Wiki (http://wiki.mailscanner.info/)
>> >> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>> >>
>> >> Support MailScanner development - buy the book off the website!
>> >>
>> >>
>> >>
>> >> ------------------------ MailScanner list ------------------------
>> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> >> 'leave mailscanner' in the body of the email.
>> >> Before posting, read the Wiki (http://wiki.mailscanner.info/)
>> >> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>> >>
>> >> Support MailScanner development - buy the book off the website!
>> >
>> >
>> >
>> > **********************************************************************
>> >
>> > This email and any files transmitted with it are confidential and
>> > intended solely for the use of the individual or entity to whom they
>> > are addressed. If you have received this email in error please notify
>> > the system manager.
>> >
>> > This footnote confirms that this email message has been swept
>> > for the presence of computer viruses and is believed to be clean.
>> >
>> > **********************************************************************
>> >
>> > ------------------------ MailScanner list ------------------------
>> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> > 'leave mailscanner' in the body of the email.
>> > Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>> >
>> > Support MailScanner development - buy the book off the website!
>> >
>> > ------------------------------------------------------------------------
>> -----------
>> > This message has been scanned by Mailwash Australia.
>> >
>> > Premier Anti-Virus, Anti-Spam and Identity Theft protection
>> > for Corporations and End Users.
>> >
>> > Log into http://www.mailwash.com.au to check your message
>> > store for blocked content.
>> >
>> > Please visit http://www.mailwash.com.au for an overview.
>> > ------------------------------------------------------------------------
>> -----------
>> >
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> -----------------------------------------------------------------------------------
> This message has been scanned by Mailwash Australia.
>
> Premier Anti-Virus, Anti-Spam and Identity Theft protection
> for Corporations and End Users.
>
> Log into http://www.mailwash.com.au to check your message
> store for blocked content.
>
> Please visit http://www.mailwash.com.au for an overview.
> -----------------------------------------------------------------------------------
> 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list