Phishing net getting confused

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jul 18 12:22:47 IST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for that John. It will be in the next release.
Going to a nice dinner this evening on HMS Warrior in Portsmouth. 
Department academics and management are having a 60th anniversary 
dinner. Should be good. Expect photos very soon. John ---- You might 
even still recognise some of them!

Jules.

John Wilcock wrote:
> Scott Silva wrote:
>> John Wilcock spake the following on 7/17/2007 8:28 AM:
>>> I think I've uncovered a buglet in the phishing net code (MailScanner
>>> version 4.61.7).
> ...
>>> Mailscanner's phishing net detected this as follows:
>>>
>>>> MailScanner[12590]: Found phishing fraud from promos.hotbar.com
>>>> claiming to be
>>>> www.<imgmoz-do-not-send="true"title=""alt="upgradeyouremail-clickhere!"src="http 
>>>>
>>>>
>>>> in 6F13B8053.635D4
>>> Clearly the moz-do-not-send is causing a problem, since the original
>>> message without those tags correctly passed through the net undetected.
>>>
>>> John.
>>>
>> Did sending user tell Thunderbird it was not junk "before" 
>> forwarding? I think
>> that is how it disables stuff it thinks is bad.
>
> Quite possibly, but that's not the point here. MS is getting 
> "confused" by the hyphens in the html attribute name.
>
> Looking at the code, there's a tag detection regex that searches for 
> tag names and attribute names with \w+ whereas in fact the HTML spec, 
> or rather the underlying SGML spec also allows names to contain (but 
> not start with) -_.: as well. I've attached a patch that seems to do 
> the trick, for Julian's perusal.
>
> John.
>

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGnfgLEfZZRxQVtlQRAn0dAJ9z5mF+0+JtfkU6y1KNnoxfMVKbaQCgxrS3
xMH+m3sNcpynMRU+m7CEkP4=
=BA/n
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list