does MailScanner rewrite URL
Robert Lopez
rlopezcnm at gmail.com
Thu May 27 02:45:59 IST 2010
My peers and I are having a discussion. This is the context taken from
an actual email an instructor sent to students:
I'm happy you've enrolled in this course. Begin by printing and
reading the Week 1 Learning Map at MailScanner has detected a
possible fraud attempt from "lummail.cnm.edu:6777" claiming to be
https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm.
<http://lummail.cnm.edu:6777/redir.aspx?C=840d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx>
This map will be your to-do list for completing the first week's
assignments.
My peers believe MailScanner sees this part:
https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm
And that MailScanner generates this and adds it to the message:
<http://lummail.cnm.edu:6777/redir.aspx?C=840d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx>
I am thinking (hoping) that in fact MailScanner is finding that last
long string hidden in the email (possibly in some html code?).
If MailScanner is generating it why?, how is it interpreted?, how to
stop it? Is that port 6777 Beagle.A virus; a windows virus on a
Redhat server?
What MailScanner code is involved in generating this (possible fraud
attempt) message?
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
More information about the MailScanner
mailing list