does MailScanner rewrite URL

Robert Lopez rlopezcnm at gmail.com
Thu May 27 16:46:09 IST 2010 

On Thu, May 27, 2010 at 8:28 AM, Mark Sapiro <mark at msapiro.net> wrote:
> On 11:59 AM, Robert Lopez wrote:
>> My peers and I are having a discussion. This is the context taken from
>> an actual email an instructor sent to students:
>>
>> I'm happy you've  enrolled in this course.  Begin by printing and
>> reading the  Week 1  Learning Map at MailScanner has detected a
>> possible fraud attempt from "lummail.cnm.edu:6777" claiming to be
>> https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm.
>> <http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx>
>>     This map will be your to-do list for completing the first week's
>> assignments.
>>
>> My peers believe MailScanner sees this part:
>>
>> https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm
>>
>> And that MailScanner generates this and adds it to the message:
>>
>> <http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx>
>>
>> I am thinking (hoping) that in fact MailScanner is finding that last
>> long string hidden in the email (possibly in some html code?).
>
>
> MailScanner sees the following HTML in the incoming message:
>
> <a
> href="http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx">https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm</a>
>
> This is generated by the MUA (probably some lummail mail app) used by
> the instructor to generate the message. If the link were unchanged by
> MailScanner, and a recipient clicks the visible
> "https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm"
> link, the target is actually the
> "http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx"
> URL which presumably will ultimately redirect to the visible URL after
> accumulating whatever information it is trying to track.
>
> MailScanner sees that the visible link text looks like a URL but doesn't
> match the actual href= URL in the tag so it sanitizes the whole thing,

AH! That is enlightening. That was not clear before.
You have confirmed that MailScanner did not generate the long URL
that it then finds, determines the miss-match, and then sanitizes.

> but MailScanner is in no way responsible for generating the
> "http://lummail.cnm.edu:6777/redir.aspx?C„0d793b97b94b0c855f60f95249126c&URL=https%3a%2f%2fowa.cnm.edu%2fOWA%2fredir.aspx%3fC%3d3cf3a1ea1bc74939934074259ff11734%26URL%3dhttps%253a%252f%252fpeople.cnm.edu%252fpersonal%252fnseeking%252fnanseeking%252fde0950%252fdefault.aspx"
> URL in the first place. That was generated by the application the
> instructor used to generate the mail in the first place.
>
>> If MailScanner is generating it why?, how is it interpreted?, how to
>> stop it?  Is that port 6777 Beagle.A virus; a windows virus on a
>> Redhat server?
>
>
> No. Port 6777 is the port that the lummail statistics gathering (privacy
> invasion) software is using. See http://lummail.com/.

I talked with the administrator of the services that run on the
lummail.cnm system
and I found 6777 is a port belonging to an application that sends SMTP
out that port.
Last night when I nmap'd that system that port was not listed and it
really got me
worried.

>
>
>> What MailScanner code is involved in generating this (possible fraud
>> attempt) message?
>
>
> # If a phishing fraud is detected, do you want to highlight the tag with
> # a message stating that the link may be to a fraudulent web site.
> # This can also be the filename of a ruleeset.
> Highlight Phishing Fraud = yes
>
> Also see other MailScanner.conf settings containing Phishing in their names.

In this case, it now looks like the instructor copied a few links that
were posted in an
email that was sent to her. She read that email via a Outlook Web
Access web page
and pasted them into her email.

I am now thinking the OWA system redirected the URL associated with the viable
URL text. It may have been appropriate for the client browser at the moment
the instructor was reading the email she received for her use to
follow the link. But she
copied it and then pasted it into an email she was composing on an
entirely different
(no Exchange, no .NET) Solaris based email system. At that point the
URL text and the
URL html were a miss-match. Then when she sent her email out to the
students that
email passed through MailScanner. MailScanner found the miss-match and performed
the resulting sanitation.  Then the students were not able to access the pages.

Sound plausible?

That is my current hypothesis, now I have to test it.

>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>


-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

More information about the MailScanner mailing list