Phishing fraud bug?
Julian Field
MailScanner at ecs.soton.ac.uk
Mon Jul 9 18:40:39 IST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I remove all whitespace in the link text fairly early on in the process.
I do this as it could be quite possible to make a link look like
something else by putting it at the end of a long line and inserting a
line-break in the middle of it, appearing just like word-wrapping.
So it sees
http://www.test.devorstand:
which is valid except there isn't a number after the ":". I might be
able to do something about this, but certainly no promises. It's
difficult to put the whitespace back in after you've taken it out :-(
Koopmann, Jan-Peter wrote:
> Hi,
>
> I think there is a strange bug in the phishing detection. Look at this
> E-Mail Body snipplet (taken from Exim queue file):
>
> 1I7otX-000FTi-7d-D
> This is a multi-part message in MIME format.
>
> ------_=_NextPart_001_01C7C205.D495F46E
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> Hallo Herr Koopmann,
>
>
> --
> Test AG
> http://www.test.de
>
> Vorstand: Alexander Test
> Aufsichtsratvorsitzender: Claudius Test
>
>
> This is what I get after MailScanner has finished:
>
> MailScanner has detected a possible fraud attempt from
> "www.test.devorstand" claiming to be http://www.test.de
>
>
>
> Somehow MailScanner does not see that the URL is "http://www.test.de"
> only. I can provide the complete Exim-Queue files for download in case
> you need them Jules.
>
>
> Kind regards,
> JP
>
Jules
- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1
wj8DBQFGknMYEfZZRxQVtlQRAvzxAKDRxVgqaaFFsNh987ezE9ZxbNSlEQCg1NxA
vY3q2bvsX+h+K2UiE6DAzjI=
=rcW/
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner
mailing list