Phishing rules - url syntax

Martin Clayton mc.mailscanner at clayreed.com
Mon Jul 9 18:42:49 IST 2007


Hi,

I'm trying to help someone out here:
http://forum.mailtraq.com/viewtopic.php?f=7&t=832

Replies to some of his messages are showing:

| MailScanner has detected a possible fraud attempt from
| "www.mailtraqdirect.co.uk" claiming to be (the rest of
| the message is missing in the reply e-mail)

He's using a free version of the Mailtraq MTA
http://www.mailtraq.com/ which appends the following text
to all email messages:

| ______________________________________________________________
| Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk)


... or as text/html:

| <HTML><BODY>Test<a style="text-decoration: none" href=HTTP://www.mailtraqdirect.co.uk><p
| style="font-size: 8pt; font-family: Verdana, sans-serif; color:
| #aaaaaa; text-decoration: none; border-color: #dddddd; border-style:
| solid; border-top-width: 1px; border-right-width: 0px; border-bottom-width:
| 0px; border-left-width: 0px; line-height: 9pt">
| Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk)</font></a></BODY></HTML>

Is it possible that the url syntax is triggering the alert, or is the
decision based on other factors (message headers, dns lookups...)?

Any pointers, much appreciated.

Cheers,
Martin




More information about the MailScanner mailing list