HTML form scanning?
Kai Schaetzl
maillists at conactive.com
Tue Apr 7 16:31:24 IST 2009
Jon Dustin wrote on Mon, 06 Apr 2009 11:47:46 -0400:
> If you care to decode the base64 attachment, it is an HTML form that
> appears to take much of its content from Visa, with one key change:
>
> form name="frm" action="http://vatamu.org/vbv/w.php" method="post"
onsubmit="return valFrm()"
>
> If I'm not mistaken, this is trying to redirect the user's credit card details
to vatamu.org.
Well, not "redirect", this is very "direct" ;-)
>
> Should this message have been flagged? Or at least been marked in the HTML-part
as "fraud attempt"?
No. The phishing detection compares the target of links with the content of links
(e.g. what is dispalyed to the user). There is nothing that could be compared
against this forms action. I personally think that forms don't have anything to do
in mail, so one should be able to "disarm" them. I don't know if the disarming
functions in MailScanner already do this.
Have you actually tried in a mail program to use it? Most recent programs don't
show any external content by default, so if that page pulls in images from visa
these would normally not show. I don't know if posting the form would be
considered "external" (I would), so posting may work or not.
>
> Or is the encoded-part throwing off MS?
I don't think so, but Julian knows for sure.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
More information about the MailScanner
mailing list