Phishing problem.
Martin Hepworth
martinh at SOLID-STATE-LOGIC.COM
Mon Nov 28 14:40:05 GMT 2005
Yes - you need a message in the inbound queue so it will actually do
something useful as well..
Hmm I see you're running the mail stop/start script.....
Stop MailScanner only (how ever that's done with the RPM version of the init
script). Have a look at the script.
Then run check_mailscanner ... that will ONLY run mailscanner and not try
and start any of the MTA daemons..
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Tony Enderby
> Sent: 28 November 2005 14:26
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: [MAILSCANNER] Phishing problem.
>
> Martin,
>
> The first debug session was configured with only the MS debug option set
> ..
> are you referring to the Spam Assassin debug flag as well?
>
> Tony.
>
> ----- Original Message -----
> From: "Martin Hepworth" <martinh at SOLID-STATE-LOGIC.COM>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Tuesday, November 29, 2005 12:48 AM
> Subject: Re: Phishing problem.
>
>
> > Tony
> >
> > Should dump the screen.
> >
> > I presume you set BOTH debug statements in MailScanner.conf to true???
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> >> -----Original Message-----
> >> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >> Behalf Of Tony Enderby
> >> Sent: 28 November 2005 13:03
> >> To: MAILSCANNER at JISCMAIL.AC.UK
> >> Subject: Re: [MAILSCANNER] Phishing problem.
> >>
> >> Martin,
> >>
> >> Updating said perl module at the moment and please excuse my ignorance
> >> but
> >> where does MS dump debug info?
> >>
> >> Tony.
> >> ----- Original Message -----
> >> From: "Martin Hepworth" <martinh at SOLID-STATE-LOGIC.COM>
> >> To: <MAILSCANNER at JISCMAIL.AC.UK>
> >> Sent: Monday, November 28, 2005 11:31 PM
> >> Subject: Re: Phishing problem.
> >>
> >>
> >> > Tony
> >> >
> >> > Well for starters upgrade net::DNS to some more modern and you'll get
> >> > extra
> >> > SA checks working...
> >> >
> >> > Then I'd post the URL to the debug out so Jules can peruse it..
> >> >
> >> > --
> >> > Martin Hepworth
> >> > Snr Systems Administrator
> >> > Solid State Logic
> >> > Tel: +44 (0)1865 842300
> >> >
> >> >> -----Original Message-----
> >> >> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]
> On
> >> >> Behalf Of Tony Enderby
> >> >> Sent: 28 November 2005 12:08
> >> >> To: MAILSCANNER at JISCMAIL.AC.UK
> >> >> Subject: Re: [MAILSCANNER] Phishing problem.
> >> >>
> >> >> Julian,
> >> >>
> >> >> Ok, result from debug output at the terminal was this .. if there's
> >> >> another dump file with debug info in it let me know and I'll post
> the
> >> >> output from that. This terminal output was generated when I sent a
> >> >> phishing trigger.
> >> >>
> >> >> Starting MailScanner daemons:
> >> >> incoming sendmail: [ OK ]
> >> >> outgoing sendmail: [ OK ]
> >> >> MailScanner: In Debugging mode, not forking...
> >> >> SA bayes lock is /root/.spamassassin/bayes.lock
> >> >> Bayes lock is at /root/.spamassassin/bayes.lock
> >> >> Net::DNS version is 0.23, but need 0.34dnsavailable-1 at
> >> >> /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/Dns.pm line 1230.
> >> >> Done the parse. Counter = 0 and max = 200
> >> >> commit ineffective with AutoCommit enabled at
> >> >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line
> 93,
> >> >> <CLIENT> line 42.
> >> >> Commmit ineffective while AutoCommit is on at
> >> >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line
> 93,
> >> >> <CLIENT> line 42.
> >> >> Stopping now as you are debugging me.
> >> >>
> >> >>
> >> >> ----- Original Message -----
> >> >> From: Julian Field <mailto:MailScanner at ECS.SOTON.AC.UK>
> >> >> To: MAILSCANNER at JISCMAIL.AC.UK
> >> >> Sent: Monday, November 28, 2005 10:56 PM
> >> >> Subject: Re: Phishing problem.
> >> >>
> >> >>
> >> >> Yes, it's always worth trying. Certainly no reason not to.
> >> >>
> >> >> On 28 Nov 2005, at 11:44, Tony Enderby wrote:
> >> >>
> >> >>
> >> >>
> >> >> Julian,
> >> >>
> >> >> Made the requested change to MailScanner.conf and then
> >> >> attempted to trigger with a well formed phish and the subject was
> not
> >> >> modified to insert (Fraud?)
> >> >>
> >> >> Would running MS in debug mode as Martin suggested be
> >> >> worthwhile?
> >> >>
> >> >> Tony.
> >> >>
> >> >> ----- Original Message -----
> >> >> From: <mailto:MailScanner at ECS.SOTON.AC.UK> Julian
> >> > Field
> >> >> To: <mailto:MAILSCANNER at JISCMAIL.AC.UK>
> >> >> MAILSCANNER at JISCMAIL.AC.UK
> >> >> Sent: Monday, November 28, 2005 10:00 PM
> >> >> Subject: Re: Phishing problem.
> >> >>
> >> >> Try setting "Phishing Modify Subject = yes" in
> >> >> MailScanner.conf and let me know what happens. I have an idea of
> what
> >> it
> >> >> might be. At some point in the last month or 2, CVS "lost" an edit
> >> >> (CVS
> >> >> is
> >> >> the package that manages the source code tree). MessageBatch.pm was
> >> >> therefore missing a function.
> >> >>
> >> >> Upgrade to the latest beta and let me know what
> >> > happens.
> >> >> This may well fix it.
> >> >>
> >> >> On 28 Nov 2005, at 10:45, Tony Enderby wrote:
> >> >>
> >> >>
> >> >>
> >> >> Hi All,
> >> >>
> >> >> I have read some posts in the list archive
> >> >> regarding phishing fraud detection and one in particular about a
> user
> >> who
> >> >> couldn't get the functionality working but there was no definitive
> >> answer
> >> >> so I thought I'd ask again.
> >> >>
> >> >> I have been unable to get phishing detection
> >> > to
> >> >> trigger (insert highlight) with MS v 4.47.4 or the two previous
> stable
> >> >> releases. I have dangerous content scanning set to on and although
> >> >> originally had 'find phishing fraud" set to a ruleset, have also
> tried
> >> >> hard coding to '"yes" both with the same result.
> >> >>
> >> >> I have tried manually firing the phishing
> >> >> detection by sending hand coded html email from various external
> >> sources
> >> >> (not on phishing whitelist) with disparate text and URL links, and
> >> >> also
> >> >> copied examples from various "phishing sample" websites. The
> numeric
> >> >> phishing detection does also not seem to work with the most simple
> >> email
> >> >> I've compiled and sent containing the following entry <a href=
> >> >> <http://203.203.45.45> MailScanner has detected a possible fraud
> >> attempt
> >> >> from "203.203.45.45" claiming to be numericlinkwarning
> >> >> http://203.203.45.45> <http://www.test.net> http://www.test.net</a>
> >> >> but
> >> >> MS
> >> >> lets them through without inserting the warning.
> >> >>
> >> >> The folloing entries appears in my
> >> >> MailScanner.conf
> >> >>
> >> >> Find Phishing Fraud = yes
> >> >> Also Find Numeric Phishing = yes
> >> >> Highlight Phishing Fraud = yes
> >> >>
> >> >> A copy of terminal output from MailScanner
> >> > -v is
> >> >> included below in the hope that maybe I'm missing some HTML parser
> >> module
> >> >> which is required to do the phishing checks.
> >> >>
> >> >>
> >> >> Any help would be much appreciated.
> >> >>
> >> >> Tony.
> >> >>
> >> >> This is Perl version 5.008005 (5.8.5)
> >> >>
> >> >> This is MailScanner version 4.47.4
> >> >> Module versions are:
> >> >> 1.00 AnyDBM_File
> >> >> 1.14 Archive::Zip
> >> >> 1.03 Carp
> >> >> 1.119 Convert::BinHex
> >> >> 1.00 DirHandle
> >> >> 1.05 Fcntl
> >> >> 2.73 File::Basename
> >> >> 2.08 File::Copy
> >> >> 2.01 FileHandle
> >> >> 1.06 File::Path
> >> >> 0.14 File::Temp
> >> >> 1.29 HTML::Entities
> >> >> 3.45 HTML::Parser
> >> >> 2.30 HTML::TokeParser
> >> >> 1.21 IO
> >> >> 1.10 IO::File
> >> >> 1.123 IO::Pipe
> >> >> 1.50 Mail::Header
> >> >> 3.05 MIME::Base64
> >> >> 5.417 MIME::Decoder
> >> >> 5.417 MIME::Decoder::UU
> >> >> 5.417 MIME::Head
> >> >> 5.417 MIME::Parser
> >> >> 3.03 MIME::QuotedPrint
> >> >> 5.417 MIME::Tools
> >> >> 0.10 Net::CIDR
> >> >> 1.08 POSIX
> >> >> 1.77 Socket
> >> >> 0.05 Sys::Syslog
> >> >> 1.02 Time::localtime
> >> >>
> >> >> Optional module versions are:
> >> >> 0.17 Convert::TNEF
> >> >> 1.809 DB_File
> >> >> 1.08 Digest
> >> >> 1.01 Digest::HMAC
> >> >> 2.33 Digest::MD5
> >> >> 2.01 Digest::SHA1
> >> >> missing Inline
> >> >> missing Mail::ClamAV
> >> >> 3.000004 Mail::SpamAssassin
> >> >> missing Mail::SPF::Query
> >> >> missing Net::CIDR::Lite
> >> >> 0.23 Net::DNS
> >> >> 0.31 Net::LDAP
> >> >> missing Parse::RecDescent
> >> >> missing SAVI
> >> >> missing Sys::Hostname::Long
> >> >> 2.42 Test::Harness
> >> >> 0.47 Test::Simple
> >> >> 1.95 Text::Balanced
> >> >> 1.19 URI
> >> >>
> >> >>
> >> >> ------------------------ MailScanner list
> >> > --------
> >> >> ----------------
> >> >> To unsubscribe, email
> >> > jiscmail at jiscmail.ac.uk with
> >> >> the words:
> >> >> 'leave mailscanner' in the body of the
> >> > email.
> >> >> Before posting, read the Wiki (
> >> >> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
> >> >> and the archives (
> >> >> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
> >> >> http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >> >>
> >> >> Support MailScanner development - buy the
> >> > book off
> >> >> the website!
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Julian Field
> >> >> www.MailScanner.info
> >> >> Buy the MailScanner book at
> >> >> <http://www.MailScanner.info/store> www.MailScanner.info/store
> >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6
> >> > 5947
> >> >> 1415 B654
> >> >>
> >> >>
> >> >> ------------------------ MailScanner list
> >> > --------------
> >> >> ----------
> >> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with
> >> > the
> >> >> words:
> >> >> 'leave mailscanner' in the body of the email.
> >> >> Before posting, read the Wiki (
> >> >> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
> >> >> and the archives (
> >> >> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
> >> >> http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >> >>
> >> >> Support MailScanner development - buy the book off
> >> > the
> >> >> website!
> >> >>
> >> >>
> >> >>
> >> >> ------------------------ MailScanner list
> >> > --------------------
> >> >> ----
> >> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the
> >> > words:
> >> >> 'leave mailscanner' in the body of the email.
> >> >> Before posting, read the Wiki (
> >> >> <http://wiki.mailscanner.info/> http://wiki.mailscanner.info/)
> >> >> and the archives (
> >> >> <http://www.jiscmail.ac.uk/lists/mailscanner.html>
> >> >> http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >> >>
> >> >> Support MailScanner development - buy the book off the
> >> >> website!
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Julian Field
> >> >> www.MailScanner.info
> >> >> Buy the MailScanner book at www.MailScanner.info/store
> >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >> >>
> >> >>
> >> >> ------------------------ MailScanner list ------------------------
> >> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >> >> 'leave mailscanner' in the body of the email.
> >> >> Before posting, read the Wiki (http://wiki.mailscanner.info/)
> >> >> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >> >>
> >> >> Support MailScanner development - buy the book off the website!
> >> >>
> >> >>
> >> >>
> >> >> ------------------------ MailScanner list ------------------------
> >> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >> >> 'leave mailscanner' in the body of the email.
> >> >> Before posting, read the Wiki (http://wiki.mailscanner.info/)
> >> >> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >> >>
> >> >> Support MailScanner development - buy the book off the website!
> >> >
> >> >
> >> >
> >> >
> **********************************************************************
> >> >
> >> > This email and any files transmitted with it are confidential and
> >> > intended solely for the use of the individual or entity to whom they
> >> > are addressed. If you have received this email in error please notify
> >> > the system manager.
> >> >
> >> > This footnote confirms that this email message has been swept
> >> > for the presence of computer viruses and is believed to be clean.
> >> >
> >> >
> **********************************************************************
> >> >
> >> > ------------------------ MailScanner list ------------------------
> >> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >> > 'leave mailscanner' in the body of the email.
> >> > Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> >> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >> >
> >> > Support MailScanner development - buy the book off the website!
> >> >
> >> > ---------------------------------------------------------------------
> ---
> >> -----------
> >> > This message has been scanned by Mailwash Australia.
> >> >
> >> > Premier Anti-Virus, Anti-Spam and Identity Theft protection
> >> > for Corporations and End Users.
> >> >
> >> > Log into http://www.mailwash.com.au to check your message
> >> > store for blocked content.
> >> >
> >> > Please visit http://www.mailwash.com.au for an overview.
> >> > ---------------------------------------------------------------------
> ---
> >> -----------
> >> >
> >>
> >> ------------------------ MailScanner list ------------------------
> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >> 'leave mailscanner' in the body of the email.
> >> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> >> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>
> >> Support MailScanner development - buy the book off the website!
> >
> >
> > **********************************************************************
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> >
> > **********************************************************************
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the website!
> >
> > ------------------------------------------------------------------------
> -----------
> > This message has been scanned by Mailwash Australia.
> >
> > Premier Anti-Virus, Anti-Spam and Identity Theft protection
> > for Corporations and End Users.
> >
> > Log into http://www.mailwash.com.au to check your message
> > store for blocked content.
> >
> > Please visit http://www.mailwash.com.au for an overview.
> > ------------------------------------------------------------------------
> -----------
> >
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list