Phishing filter

[Markus Nilsson]

----- Ursprungligt meddelande -----
> Från: "Scott Silva" <ssilva at sgvwater.com>
> Till: mailscanner at lists.mailscanner.info
> Skickat: onsdag, 22 jun 2011 19:07:34
> Ämne: Re: Phishing filter
> on 6/22/2011 8:14 AM Markus Nilsson spake the following:
> >
> > ----- Ursprungligt meddelande -----
> >
> >> Från: "Glenn Steen" <glenn.steen at gmail.com>
> >> Till: "MailScanner discussion"
> >> <mailscanner at lists.mailscanner.info>
> >> Skickat: onsdag, 22 jun 2011 16:52:32
> >> Ämne: Re: Phishing filter
> >
> >> On 22 June 2011 09:40, Markus Nilsson < markus at markusoft.se >
> >> wrote:
> >
> >>> Hi
> >>
> >
> >>> I'm looking into whitelisting all private subnets in the phishing
> >>> filter, since we see quite a few mails with links within or
> >>> intranet
> >>> that are reported by the filter.
> >>
> >
> >>> Do you see any obvious disadvantages with this? If not I'll
> >>> submit
> >>> the patch to the list, and hope to get it included!
> >>
> >
> >>> It should be as simple as adding a few lines to
> >>> InPhishingWhiteList:
> >>
> >>> return 1 if $linkurl =~ m/^192\.168\.\d+\.\d+$/;
> >>
> >>> etc
> >>
> >
> >> Why would you need a patch? IIRC there is a
> >> "phishing.safe.sites.conf" file where you can add your
> >> local/intranet servers. Should do the trick:-).
> >
> >> Cheers!
> >> --
> >> -- Glenn
> >
> > Because I have a lot of users using this setup, using links to
> > different
> > intranets. So I would want to whitelist the entire nets, to not
> > need to
> > maintain such a list. The current phishing.safe.sites only accepts
> > left-hand-side wildcards (naturally) so I can't add the ranges
> > there with
> > less than specifying all addresses...
> >
> > The change to the code above would be much easier since that
> > effectively
> > whitelists all private ranges.
> >
> Not all private ranges.... how about 10.0.0.0/8 or 172.16.0.0/16?
> Maybe a patch that allows subnets in the whitelist would be better?
> Not that I would dare to write it.

That was a good idea! Shouldn't be too hard, guessing a few lines like
this would do the trick (in : sub InPhishingWhitelist, Message.pm)

*** /home/markus/Message.pm	2011-05-03 17:13:54.000000000 +0200
--- /home/markus/Message.pm.patch	2011-06-23 08:27:51.000000000 +0200
***************
*** 7604,7613 ****
--- 7604,7623 ----
    my($linkurl) = @_;

    # Quick lookup
    return 1 if $MailScanner::Config::PhishingWhitelist{$linkurl};

+   #Check for subnet entries
+   $subnet = 8;
+   $mask = "";
+   while ($linkurl ne "" && $linkurl =~ s/\.\d+$//) {
+     $mask .= ".0";
+     #print STDERR "Looking up " . $linkurl . $mask . "/" . $subnet . "\n";
+     return 1 if $MailScanner::Config::PhishingWhitelist{$linkurl . $mask . "/" . $subnet};
+     $subnet += 8;
+   }
+
    # Trim host. off the front of the hostname
    while ($linkurl ne "" && $linkurl =~ s/^[^.]+\.//) {
      # And replace it with *. then look it up
      #print STDERR "Looking up *.$linkurl\n";
      return 1 if $MailScanner::Config::PhishingWhitelist{'*.' . $linkurl};


 
 
--
This message has been scanned for viruses and dangerous content by CronLab
(www.cronlab.com), and is believed to be clean.