school targeted phishing getting past MailScanner and ScamNailer
Mark Sapiro
mark at msapiro.net
Sat Oct 24 17:26:45 IST 2009
On Fri, Oct 23, 2009 at 02:06:09PM -0600, Robert Lopez wrote:
> Mark,
>
> On Fri, Oct 23, 2009 at 10:28 AM, Mark Sapiro <mark at msapiro.net> wrote:
> >
> > The above do not result in blocked mail by themselves. They result in
> > mail being 'disarmed'. They ?come from HTML mail that has a link whose
> > 'text' looks like a URL or host name but has a different host from that
> > in the target URL.
>
> Are you certain? I thought those looked more like this log sample:
>
> Oct 23 13:10:48 mg04 MailScanner[27356]: Content Checks: Detected and
> have disarmed web bug tags in HTML message in 9C604660910.58CBE from
> newsletters at techrepublic.online.com
That is one type of disarming, but html that looks like
<a href="http://pr2.netatlantic.com/t/7800752/56969411/524/0/">
<strong>http://www.all-battery.com</strong></a>
will get replaced by
<a href="http://pr2.netatlantic.com/t/7800752/56969411/524/0/">
<font color="red"><b>MailScanner has detected a possible fraud attempt
from "pr2.netatlantic.com" claiming to be</b></font>
<strong>http://www.all-battery.com</strong></a>
and the {disarmed} tag will be added to the subject and this is logged as
Found phishing fraud from http://pr2.netatlantic.com/t/7800752/56969411/524/0/
claiming to be www.all-battery.com
There will also be a log message containing
Content Checks: Detected and have disarmed xxx tags in HTML message
where xxx is some combination of web bug, phishing, script, iframe,
form and form input. This assumes that the various Allow * Tags settings
have the default 'disarm' settings, and Find Phishing Fraud and
Use Stricter Phishing Net also have their default 'yes' settings.
> > Perhaps you should also send copies of the mail to Jules so he can
> > get them in his database.
>
> Via sending to this list, directly to this list, or did he set up an
> address for such use?
Jules will have to respond to this. I don't know what the mechanism
for reporting these is.
--
Mark Sapiro mark at msapiro net The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list