Phishing fraud bug?

Julian Field MailScanner at ecs.soton.ac.uk
Mon Jul 9 21:08:50 IST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Koopmann, Jan-Peter wrote:
> Hi Jules,
>
>   
>> I remove all whitespace in the link text fairly early on in the
>> process.
>> I do this as it could be quite possible to make a link look like
>> something else by putting it at the end of a long line and inserting a
>> line-break in the middle of it, appearing just like word-wrapping.
>>     
>
> But a newline character or similar would not be interpreted as part of
> the link by the MUA, would it? So clicking such a construct would not do
> any harm. Of course the user could always mark the entire seemingly link
> and copy&paste it in the browser. Hard to cover that.
>   
What about this simple HTML?
<a href="http://www.nasty.co.uk/">http://www.nice.co
.uk/</a>
That would look like a word-wrapped link to www.nice.co.uk but would 
actually be a link to www.nasty.co.uk. I believe that's what I'm trying 
to cover.
>
>   
>> So it sees
>> http://www.test.devorstand:
>> which is valid except there isn't a number after the ":". I might be
>> able to do something about this, but certainly no promises. It's
>> difficult to put the whitespace back in after you've taken it out :-(
>>     
>
> Hm. This will result in quite some false positives and already has. Due
> to a "new" german law all B2B e-mails in Germany need a legitimate
> disclaimer stating all sorts of information. While the home-page URL is
> voluntary, most of the companies will state it in the footer followed by
> additional information just as I quoted. All of them will be scrambled
> by MailScanner.
>
> Not sure how to solve this problem. Any ideas?
>   
Not immediately, no. It's impossible to make the phishing net perfect. 
It's a very heuristic piece of code. Though if you fancy looking at the 
code and suggesting improvements, they are very welcome. It is 
documented fairly well at www.phishingnet.info.

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGkpXTEfZZRxQVtlQRAh8vAKCFQa7sAxTpjrk6bsNt9ZNHJBwFqACgka/d
TQW4OlpF5RNsbt2SAQn1BFU=
=nktS
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list