Phishing net getting confused

Tue Jul 17 22:25:53 IST 2007

John Wilcock spake the following on 7/17/2007 8:28 AM:
> I think I've uncovered a buglet in the phishing net code (MailScanner
> version 4.61.7).
> 
> Given the following snippet (this was an outgoing message, quoting an
> original that included the hotbar link; the moz-do-not-send bits weren't
> in that original and seem to be generated by Thunderbird):
> 
>> <a moz-do-not-send="true"
>>  href="http://promos.hotbar.com/promos/promodll.dll?RunPromo&amp;El=&amp;SG=&amp
>>
>> ;RAND=16236&amp;partner=hbtools"><img
>>  moz-do-not-send="true" title="" alt="Upgrade Your Email - Click here!"
>>  src="http://promos.hotbar.com/promos/promodll.dll?GetPromo&amp;El=&amp;SG=&amp;
>>
>> RAND=16236&amp;partner=hbtools&amp;/p.gif"
>>  border="0"></a>
> 
> Mailscanner's phishing net detected this as follows:
> 
>> MailScanner[12590]: Found phishing fraud from promos.hotbar.com
>> claiming to be
>> www.<imgmoz-do-not-send="true"title=""alt="upgradeyouremail-clickhere!"src="http
>>
>> in 6F13B8053.635D4
> 
> Clearly the moz-do-not-send is causing a problem, since the original
> message without those tags correctly passed through the net undetected.
> 
> John.
> 
Did sending user tell Thunderbird it was not junk "before" forwarding? I think
that is how it disables stuff it thinks is bad.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!