mip: mail fraud? Anybody seen this?
Julian Field
MailScanner at ecs.soton.ac.uk
Tue Nov 11 21:24:00 GMT 2008
Try this patch to the latest Message.pm and let me know if it helps:
--- Message.pm 2008-10-24 12:11:57.000000000 +0100
+++ Message.pm.new 2008-11-11 21:23:14.000000000 +0000
@@ -7251,6 +7251,7 @@
$linkurl =~ s/^(https?:\/\/[^:]+):80/$1/i; # Remove http://....:80
$linkurl =~ s/^(https?|ftp)[:;]\/\///i;
return ("",0) if $linkurl =~ /^ma[il]+to[:;]/i;
+ return ("",0) if $linkurl =~ /^mip[:;]/i; # Ignore MusicIP links
#$linkurl = "" if $linkurl =~ /^ma[il]+to[:;]/i;
$linkurl =~ s/[?\/].*$//; # Only compare up to the first '/' or '?'
$linkurl =~ s/(\<\/?(br|p|ul)\>)*$//ig; # Remove trailing br, p, ul tags
On 11/11/08 19:48, Rick Cooper wrote:
> That looks to be a MusicIP link see:
>
> http://www.musicip.com/mixer/mipprotocol.jsp
>
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
> > [mailto:mailscanner-bounces at lists.mailscanner.info] On
> > Behalf Of Julian Field
> > Sent: Tuesday, November 11, 2008 12:22 PM
> > To: MailScanner discussion
> > Subject: Re: mip: mail fraud? Anybody seen this?
> >
> > If anyone else can tell me what mip: is, I'll think about
> > adding it to
> > the phishing net so it gets ignored as a URL.
> >
> > On 11/11/08 16:42, Jeff A. Earickson wrote:
> > > Julian,
> > >
> > > First, I hope that you and your various internal organs are doing
> > > reasonably well.
> > >
> > > I got pinged by a user today who asked "why did this copied
> > > reply get munged up by MailScanner?"
> > >
> > >> From:<MailScanner has detected a possible fraud attempt
> > from "mip:"
> > >> claiming to be xxx at aol.com<mip://0b04f618/xxx@aol.com> >
> > >> Date: Tue, 11 Nov 2008 08:14:40 EST
> > >> To:<MailScanner has detected a possible fraud attempt
> > from "mip:"
> > >> claiming
> > >> to be yyy at upanewtonma.org<mip://0b04f618/yyy@upanewtonma.org>
> > >
> > > and so on for all of the other email addresses in the quoted reply.
> > > I would guess that the mip: construct is something that an AOL MTA
> > > or mail client added. I googled for it and found zilch. Anybody
> > > else seen this?
> > >
> > > BTW: running MS 4.72.5-1 on Solaris 10.
> > >
> > > Jeff Earickson
> > > Colby College
> > >
> >
> > Jules
> >
> > --
> > Julian Field MEng CITP CEng
> > www.MailScanner.info
> > Buy the MailScanner book at www.MailScanner.info/store
> >
> > MailScanner customisation, or any advanced system
> > administration help?
> > Contact me at Jules at Jules.FM
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > PGP public key: http://www.jules.fm/julesfm.asc
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> >
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list