does MailScanner rewrite URL

[Mark Sapiro]

On 11:59 AM, Robert Lopez wrote:
> My peers and I are having a discussion. This is the context taken from
> an actual email an instructor sent to students:
> 
> I'm happy you've  enrolled in this course.  Begin by printing and
> reading the  Week 1  Learning Map at MailScanner has detected a
> possible fraud attempt from "lummail.cnm.edu:6777" claiming to be
> https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm.
> <http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx>
>     This map will be your to-do list for completing the first week's
> assignments.
> 
> My peers believe MailScanner sees this part:
> 
> https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm
> 
> And that MailScanner generates this and adds it to the message:
> 
> <http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx>
> 
> I am thinking (hoping) that in fact MailScanner is finding that last
> long string hidden in the email (possibly in some html code?).


MailScanner sees the following HTML in the incoming message:

<a
href="http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx">https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm</a>

This is generated by the MUA (probably some lummail mail app) used by
the instructor to generate the message. If the link were unchanged by
MailScanner, and a recipient clicks the visible
"https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm"
link, the target is actually the
"http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx"
URL which presumably will ultimately redirect to the visible URL after
accumulating whatever information it is trying to track.

MailScanner sees that the visible link text looks like a URL but doesn't
match the actual href= URL in the tag so it sanitizes the whole thing,
but MailScanner is in no way responsible for generating the
"http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx"
URL in the first place. That was generated by the application the
instructor used to generate the mail in the first place.

> If MailScanner is generating it why?, how is it interpreted?, how to
> stop it?  Is that port 6777 Beagle.A virus; a windows virus on a
> Redhat server?


No. Port 6777 is the port that the lummail statistics gathering (privacy
invasion) software is using. See http://lummail.com/.


> What MailScanner code is involved in generating this (possible fraud
> attempt) message?


# If a phishing fraud is detected, do you want to highlight the tag with
# a message stating that the link may be to a fraudulent web site.
# This can also be the filename of a ruleeset.
Highlight Phishing Fraud = yes

Also see other MailScanner.conf settings containing Phishing in their names.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan