does MailScanner rewrite URL

Mark Sapiro mark at msapiro.net
Thu May 27 20:24:56 IST 2010 

Robert Lopez wrote:

>On Thu, May 27, 2010 at 8:28 AM, Mark Sapiro <mark at msapiro.net> wrote:

>> No. Port 6777 is the port that the lummail statistics gathering (privacy
>> invasion) software is using. See http://lummail.com/.
>
>I talked with the administrator of the services that run on the
>lummail.cnm system
>and I found 6777 is a port belonging to an application that sends SMTP
>out that port.
>Last night when I nmap'd that system that port was not listed and it
>really got me
>worried.


At the moment, there is something listening on lummail.cnm.edu:6777
which accepts an HTTP GET request and responds with an HTTP 404 status
and a short document that says "Not found". I expect this occurs in
part at least because the initial hash code in the url has gotten
garbled or maybe points to an expired record of some type.


>>> What MailScanner code is involved in generating this (possible fraud
>>> attempt) message?
>>
>>
>> # If a phishing fraud is detected, do you want to highlight the tag with
>> # a message stating that the link may be to a fraudulent web site.
>> # This can also be the filename of a ruleeset.
>> Highlight Phishing Fraud = yes
>>
>> Also see other MailScanner.conf settings containing Phishing in their names.
>
>In this case, it now looks like the instructor copied a few links that
>were posted in an
>email that was sent to her. She read that email via a Outlook Web
>Access web page
>and pasted them into her email.
>
>I am now thinking the OWA system redirected the URL associated with the viable
>URL text. It may have been appropriate for the client browser at the moment
>the instructor was reading the email she received for her use to
>follow the link. But she
>copied it and then pasted it into an email she was composing on an
>entirely different
>(no Exchange, no .NET) Solaris based email system. At that point the
>URL text and the
>URL html were a miss-match. Then when she sent her email out to the
>students that
>email passed through MailScanner. MailScanner found the miss-match and performed
>the resulting sanitation.  Then the students were not able to access the pages.
>
>Sound plausible?


The URL that is the target of the link actualy looks like a double
redirection. it goes to http://lummail.cnm.edu:6777/redir.aspx with a
long query fragment that looks like a redirect to
https://owa.cnm.edu/OWA/redir.aspx with its own query fragment that in
turn ultimately redirects to
https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm.

MailScanner doesn't do any analysis of this or its validity. All
MailScanner does is see that the text portion of the presented link
begins "https://people.cnm.edu/" and the href= URL begins
"http://lummail.cnm.edu:6777/" and these are not the same domain, so
that triggers its Phish fraud response.

The reason the student's couldn't access the page is that even though
MailScanner "disarmed" the link, the
https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm
in the email was still only the text portion of an HTML link that went
to the original target http://lummail.cnm.edu:6777/...etc URL, and
that URL didn't work.

Had the students copied the
https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm
URL and pasted it in a browser, it would have worked and in fact still
does work.

The first problem was the instructor copied and pasted an HTML link
without understanding that that original link was not a direct link to
https://people.cnm.edu/personal/nseeking/nanseeking/de0950/weeklymaps/week01_12wk.htm
but was in fact that complicated double redirect link. Whether the
link got garbled in this process or quit working for other reasons, I
can't say, but the bottom line is MailScanner didn't add anything or
invent that long URL, nor did MailScanner break it. MailScanner just
made visible what was hidden in the original mail.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list