does MailScanner rewrite URL

Robert Lopez rlopezcnm at gmail.com
Thu May 27 02:45:59 IST 2010


My peers and I are having a discussion. This is the context taken from
an actual email an instructor sent to students:

I'm happy you've  enrolled in this course.  Begin by printing and
reading the  Week 1  Learning Map at MailScanner has detected a
possible fraud attempt from "lummail.cnm.edu:6777" claiming to be
https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm.
<http://lummail.cnm.edu:6777/redir.aspx?C=840d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx>
    This map will be your to-do list for completing the first week's
assignments.

My peers believe MailScanner sees this part:

https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm

And that MailScanner generates this and adds it to the message:

<http://lummail.cnm.edu:6777/redir.aspx?C=840d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx>

I am thinking (hoping) that in fact MailScanner is finding that last
long string hidden in the email (possibly in some html code?).

If MailScanner is generating it why?, how is it interpreted?, how to
stop it?  Is that port 6777 Beagle.A virus; a windows virus on a
Redhat server?

What MailScanner code is involved in generating this (possible fraud
attempt) message?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106


More information about the MailScanner mailing list