MS 4.54.6 failing to tag a phishing message

Rick Chadderdon mailscanner at yeticomputers.com
Fri Sep 1 16:52:50 IST 2006


Are you, by any chance, using Thunderbird to read the message?  If so,
be sure that your client is set to view messages as either "Simple HTML"
or "Original HTML" for that account.  When I tested your HTML through my
MailScanner, I thought at first that it had failed for me, too.  Then
when viewing the message source I saw that I was wrong.

The test message:

Message-ID: <44F84CCF.2080704 at yeticomputers.com>
Date: Fri, 01 Sep 2006 11:07:59 -0400
From: Rick Chadderdon <mailscanner at yeticomputers.com>
User-Agent: Thunderbird 1.5.0.5 (X11/20060809)
MIME-Version: 1.0
To: Rick Chadderdon <mailscanner at yeticomputers.com>
Subject: Test
Content-Type: multipart/alternative;
 boundary="------------050805040507030102090704"

This is a multi-part message in MIME format.
--------------050805040507030102090704
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

https://boveda.banamex.com.mx/serban/
<http://dsl093-070-130.sfo4.dsl.speakeasy.net/bancanetempresarial.banamex.com.mx/spanishdir/MailBanamex.php>


--------------050805040507030102090704
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<a
 href="http://dsl093-070-130.sfo4.dsl.speakeasy.net/bancanetempresarial.banamex.com.mx/spanishdir/MailBanamex.php">https://boveda.banamex.com.mx/serban/</a>
</body>
</html>

--------------050805040507030102090704--


The important parts of what I received:

This is a multi-part message in MIME format.
--------------050805040507030102090704
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

https://boveda.banamex.com.mx/serban/
<http://dsl093-070-130.sfo4.dsl.speakeasy.net/bancanetempresarial.banamex.com.mx/spanishdir/MailBanamex.php>


--------------050805040507030102090704
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<a
 href="http://dsl093-070-130.sfo4.dsl.speakeasy.net/bancanetempresarial.banamex.com.mx/spanishdir/MailBanamex.php"><font
color="red"><b>MailScanner has detected a possible fraud attempt from
"dsl093-070-130.sfo4.dsl.speakeasy.net" claiming to be</b></font>
https://boveda.banamex.com.mx/serban/www.boveda.banamex.</a>

</body>
</html>

--------------050805040507030102090704--


However, Thunderbird was set to view messages as plain text, and the
phishing warning was *not shown*.  The message was sent as plain
text and HTML.  All Thunderbird showed was the plain text portion:

https://boveda.banamex.com.mx/serban/
<http://dsl093-070-130.sfo4.dsl.speakeasy.net/bancanetempresarial.banamex.com.mx/spanishdir/MailBanamex.php>

Since the MailScanner phishing warning was HTML, it was not displayed.
If I view the message body as HTML, the warning is shown.  If I send the
message as "plain text only" or "HTML only" I get slightly different
results, but the phishing warning is always visible.  For me,
MailScanner caught your sample URL every time I tried it.  Now the
phishing warning was a bit odd:  "...claiming to be
https://boveda.banamex.com.mx/serban/www.boveda.banamex." - it tacked
stuff on after the "serban/".  I suppose there's a bug there, but for
the most part I'm seeing a Thunderbird display issue.

I am running MailScanner 4.55.10 on FreeBSD RELEASE 6.0, so it's
possible that something was fixed after your version that is causing
yours to fail to catch that particular link.

Rick

René Berber wrote:
> Hi,
>
> I'm using MS version 4.54.6 and trying to figure out why a phishing message went
> in and MS didn't do anything.  The message spam score (using spamassassin
> version 3.1.4 + some rules-du-jour) was very low, but as shown below inside the
> message was a very obvious phishing URL.
>
> Relevant parts of MailScanner.conf:
>
> Find Phishing Fraud = yes
> Also Find Numeric Phishing = yes
> Use Stricter Phishing Net = yes
> Highlight Phishing Fraud = yes
> Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf
> Phishing Modify Subject = yes
> Phishing Subject Text = {Fraud?}
>
> The file phishing.safe.sites.conf does not contain the bank name.  The
> country.domains.conf has a correct set of domain suffixes for this country.
>
> The relevant part of the message is:
>
> <A
> href="http://dsl093-070-130.sfo4.dsl.speakeasy.net/bancanetempresarial.banamex.com.mx/spanishdir/MailBanamex.php">https://boveda.banamex.com.mx/serban/</A></FONT><FONTsize=2><BR>
>
> The links are as different as they can be, http vs https (not used by MS),
> speakeasy.net vs banamex.com.mx, so what did fail in MS?
>
> Any pointers on how to debug this or should I upgrade to the latest version?
>
> I had a look at lib/MailScanner/Message.pm and found where the URLs are compared
> taking into account the levels used by the country, I'll try to find out what
> went wrong.
>
> Thanks.
>   




More information about the MailScanner mailing list