school targeted phishing getting past MailScanner and ScamNailer

Mark Sapiro mark at
Sat Oct 24 17:26:45 IST 2009

On Fri, Oct 23, 2009 at 02:06:09PM -0600, Robert Lopez wrote:
> Mark,
> On Fri, Oct 23, 2009 at 10:28 AM, Mark Sapiro <mark at> wrote:
> >
> > The above do not result in blocked mail by themselves. They result in
> > mail being 'disarmed'. They ?come from HTML mail that has a link whose
> > 'text' looks like a URL or host name but has a different host from that
> > in the target URL.
> Are you certain? I thought those looked more like this log sample:
> Oct 23 13:10:48 mg04 MailScanner[27356]: Content Checks: Detected and
> have disarmed web bug tags in HTML message in 9C604660910.58CBE from
> newsletters at

That is one type of disarming, but html that looks like

<a href="">

will get replaced by

<a href="">
<font color="red"><b>MailScanner has detected a possible fraud attempt
 from "" claiming to be</b></font>

and the {disarmed} tag will be added to the subject and this is logged as

Found phishing fraud from
claiming to be

There will also be a log message containing

Content Checks: Detected and have disarmed xxx tags in HTML message

where xxx is some combination of web bug, phishing, script, iframe,
form and form input. This assumes that the various Allow * Tags settings
have the default 'disarm' settings, and Find Phishing Fraud and
Use Stricter Phishing Net also have their default 'yes' settings. 

> > Perhaps you should also send copies of the mail to Jules so he can
> > get them in his database.
> Via sending to this list, directly to this list, or did he set up an
> address for such use?

Jules will have to respond to this. I don't know what the mechanism
for reporting these is.

Mark Sapiro mark at msapiro net       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list