Announcement: New beta 4.59.2 released

Juan Pablo Salazar Bertín snifer_ at hotmail.com
Fri Apr 27 16:40:29 IST 2007 

Julian Field <MailScanner <at> ecs.soton.ac.uk> writes:

> 
> 
> Hi folks,
> 
> I have just released a new beta 4.59.2 which includes the support for 
> clamd, using the patches provided earlier on this list.
> 
> If you use clamd and are running MailScanner as root (or have not 
> specified the Run As User at all), then it is vital that you read the 
> notes just above the "Incoming Work Group" setting in order to get the 
> ownership and permissions correct so that clamd can read them.
> 
> Download as usual from www.mailscanner.info.
> 
> Please test this release for me!
> 
> The Change Log for 4.59 so far is this:
> 
> * New Features and Improvements *
> 2 Changed locations monitored for ClamAV updates to fit new ClamAV 0.9 
> layout.
> 2 Added support for clamdscan and clamd. Use "Virus Scanners = clamd".
> 
> * Fixes *
> 1 Exim fix by Debian Maintainer: Simon Walter.
> 1 Incoming Work Group not honoured for files with a leading dot in their
>   filename. Again, fix by Simon Walter.
> 
> Jules
> 


Hi Julian, I've been trying to find out why some phishing is being undetected by
MailScanner. I think it's due to line 5581 in Message.pm. I'm receiving phishing
like this:

<a href=http://santandersantiago.cl.camufa.com/canales/empresas/><font
color=blue font size=4><u>
http://www.santandersantiago.cl/canales/empresas/index.asp</font></font></u></a>

So, as they're not using double quotes, MailScanner thinks it's an empty A tag.
I think a better way of guessing if it's an empty A tag would be to check if
href is empty, something like replacing:

 $DisarmInsideLink = 0 if $text =~ /\/\>$/; # JKF Catch /> empty A tags

with:

 $DisarmInsideLink = 0 if $DisarmLinkURL eq ''; # JPSB empty A tags

I've tested this in a development box against some phishing and it works. I'd
like you to tell us if this change doesn't have any drawback, so we can safely
patch production servers, and may be it's included in this new version. Thanks.

PS: You can get a sample phishing message at
http://www.divshare.com/download/498395-7da

More information about the MailScanner mailing list