Announcement: New beta 4.59.2 released
Juan Pablo Salazar Bertín
snifer_ at hotmail.com
Fri Apr 27 18:10:45 IST 2007
Juan Pablo Salazar Bertín <snifer_ <at> hotmail.com> writes:
> Hi Julian, I've been trying to find out why some phishing is being undetected
by
> MailScanner. I think it's due to line 5581 in Message.pm. I'm receiving
phishing
> like this:
>
> <a href=http://santandersantiago.cl.camufa.com/canales/empresas/><font
> color=blue font size=4><u>
>
http://www.santandersantiago.cl/canales/empresas/index.asp</font></font></u></a>
>
> So, as they're not using double quotes, MailScanner thinks it's an empty A
tag.
> I think a better way of guessing if it's an empty A tag would be to check if
> href is empty, something like replacing:
>
> $DisarmInsideLink = 0 if $text =~ /\/\>$/; # JKF Catch /> empty A tags
>
> with:
>
> $DisarmInsideLink = 0 if $DisarmLinkURL eq ''; # JPSB empty A tags
>
> I've tested this in a development box against some phishing and it works. I'd
> like you to tell us if this change doesn't have any drawback, so we can safely
> patch production servers, and may be it's included in this new version.
Thanks.
>
> PS: You can get a sample phishing message at
> http://www.divshare.com/download/498395-7da
>
In the same file (Message.pm), in line 5889, it should be checked if we're
inside a link. Something like replacing:
} else {
# It is not a tag we worry about, so just print the text and continue.
print $text;
}
with:
} elsif ($DisarmInsideLink) {
# if we're inside a link, we should add the text so we'll have all in order
$DisarmLinkText .= $text;
} else {
# It is not a tag we worry about, so just print the text and continue.
print $text;
}
I hope it helps, thanks.
More information about the MailScanner
mailing list