Google sites still in phishing.bad.sites.conf?

Jerry Benton jerry.benton at mailborder.com
Fri Oct 30 10:56:44 UTC 2015


Check line 1107 of Config.pm to see how the blacklist is generated sans the whitelist items.

The .custom file is used during the creation of the list and not in the MailScanner code. If you examine the update_xxx files you can see that they read the respective .custom file and place those items at the top of the master lists (phishing.safe.sites.conf and phishing.bad.sites.conf) when those two files are created. MailScanner then reads those two files to determine the phishing bad sites. (Bad sites minus items found in the safe sites.) 

-
Jerry Benton
www.mailborder.com



> On Oct 30, 2015, at 6:42 AM, Paul Sand <pas at unh.edu> wrote:
> 
> * Jerry Benton <jerry.benton at mailborder.com> [2015-10-30 06:02]:
>> I have confirmed with Jules that the safe sites override the bad sites.
>> Are you using the update script from phishing.mailborder.com ? 
> 
> Yes.
> 
>> If you are,
>> it creates an additional .custom file for both safe and bad sites. Add
>> your respective sites to each custom file. When the script runs to update
>> the master list of sites, you custom sites should be placed at the top of
>> each of the master files. (.conf files) 
> 
> Jules' assertion does not match with my experience, sorry. I've had the
> relevant Google sites in phishing.safe.sites.custom since we discussed
> this last month, but I still see "Found definite phishing fraud" entries
> from MailScanner in my mail logs.
> 
> I think the relevant code is here:
> 
> https://github.com/MailScanner/v4/blob/master/mailscanner/bin/MailScanner/Message.pm
> 
> At line 7310:
> 
> 
>      #
>      # Known Dangerous Sites List code here
>      #
>      my $AlreadyReported = 0;
>      if (InPhishingBlacklist($linkurl)) {
>        use bytes;
>        print MailScanner::Config::LanguageValue(0, 'definitefraudstart') .
>              ' "' . $linkurl . '"' .
>              MailScanner::Config::LanguageValue(0, 'definitefraudend') .
>              ' ' if $PhishingHighlight;
>        $DisarmPhishingFound = 1;
>        $linkurl = substr $linkurl, 0, 80;
>        $squashedtext = substr $squashedtext, 0, 80;
>        $DisarmDoneSomething{'phishing'} = 1 if $PhishingHighlight;
>        use bytes; # Don't send UTF16 to syslog, it breaks!
>        MailScanner::Log::NoticeLog('Found definite phishing fraud from %s ' .
>                                    'in %s', $DisarmLinkURL, $id);
>                                    #'in %s', $linkurl, $id);
>        no bytes;
>        $AlreadyReported = 1;
>      }
> 
> I don't see any provision for custom (or otherwise) safe sites. I would
> expect to see a check for "InPhishingWhitelist($linkurl)" in that case
> (which appears in a number of other places in the code).
> 
> 
> -- 
> -- Paul A Sand <pas at unh.edu>
> -- Information Technology / University of New Hampshire
> -- http://pubpages.unh.edu/~pas
> -- No measurable fat content.
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 



More information about the MailScanner mailing list