Phishing fraud bug?

Julian Field MailScanner at
Mon Jul 9 18:40:39 IST 2007

Hash: SHA1

I remove all whitespace in the link text fairly early on in the process. 
I do this as it could be quite possible to make a link look like 
something else by putting it at the end of a long line and inserting a 
line-break in the middle of it, appearing just like word-wrapping.

So it sees
which is valid except there isn't a number after the ":". I might be 
able to do something about this, but certainly no promises. It's 
difficult to put the whitespace back in after you've taken it out :-(

Koopmann, Jan-Peter wrote:
> Hi,
> I think there is a strange bug in the phishing detection. Look at this
> E-Mail Body snipplet (taken from Exim queue file):
> 1I7otX-000FTi-7d-D
> This is a multi-part message in MIME format.
> ------_=_NextPart_001_01C7C205.D495F46E
> Content-Type: text/plain;
>         charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> Hallo Herr Koopmann,
> --
> Test AG
> Vorstand: Alexander Test
> Aufsichtsratvorsitzender: Claudius Test
> This is what I get after MailScanner has finished:
> MailScanner has detected a possible fraud attempt from
> "www.test.devorstand" claiming to be
> Somehow MailScanner does not see that the URL is ""
> only. I can provide the complete Exim-Queue files for download in case
> you need them Jules.
> Kind regards,
>   JP


- -- 
Julian Field MEng CITP
Buy the MailScanner book at

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit

Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit

More information about the MailScanner mailing list