MS 4.54.6 failing to tag a phishing message

René Berber r.berber at computer.org
Thu Aug 31 03:20:26 IST 2006


Hi,

I'm using MS version 4.54.6 and trying to figure out why a phishing message went
in and MS didn't do anything.  The message spam score (using spamassassin
version 3.1.4 + some rules-du-jour) was very low, but as shown below inside the
message was a very obvious phishing URL.

Relevant parts of MailScanner.conf:

Find Phishing Fraud = yes
Also Find Numeric Phishing = yes
Use Stricter Phishing Net = yes
Highlight Phishing Fraud = yes
Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf
Phishing Modify Subject = yes
Phishing Subject Text = {Fraud?}

The file phishing.safe.sites.conf does not contain the bank name.  The
country.domains.conf has a correct set of domain suffixes for this country.

The relevant part of the message is:

<A
href="http://dsl093-070-130.sfo4.dsl.speakeasy.net/bancanetempresarial.banamex.com.mx/spanishdir/MailBanamex.php">https://boveda.banamex.com.mx/serban/</A></FONT><FONTsize=2><BR>

The links are as different as they can be, http vs https (not used by MS),
speakeasy.net vs banamex.com.mx, so what did fail in MS?

Any pointers on how to debug this or should I upgrade to the latest version?

I had a look at lib/MailScanner/Message.pm and found where the URLs are compared
taking into account the levels used by the country, I'll try to find out what
went wrong.

Thanks.
-- 
René Berber



More information about the MailScanner mailing list