Country Domains - Test
Shawn Iverson
iversons at rushville.k12.in.us
Sun Jan 24 18:04:30 UTC 2016
This is what I see now...
17 from iversons at rushville.k12.in.us
Jan 24 12:23:36 efa MailScanner[22971]: HTML Img tag found in message
154C112018C.ACA17 from iversons at rushville.k12.in.us
Jan 24 12:23:36 efa MailScanner[22971]: Spam Checks: Starting
Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from
http://www.auda.bad.au/ claiming to be www.auda.org.au in 154C112018C.ACA17
Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from
http://www.auda.bad.org.au/ claiming to be www.auda.org.au in
154C112018C.ACA17
Jan 24 12:23:38 efa MailScanner[22971]: Content Checks: Detected and have
disarmed phishing tags in HTML message in 154C112018C.ACA17 from
iversons at rushville.k12.in.us
Doesn't really tell me how country.domains.conf is being interpreted, so I
added some debugging output to Message.pm...
Jan 24 12:59:50 efa MailScanner[30948]: Spam Checks: Starting
Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base
and 3rd level match
Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: Previous
Match was found
^ good first url is real and lookup of country.domains.conf occurred and
matched first two levels
Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First and/or
second level domains do not match, no lookup of countries
Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from
http://www.auda.bad.au/ claiming to be www.auda.org.au in 3023A120E78.A9661
^ good no lookup needed because second tld are not the same
Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base
and 3rd level do not match
Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from
http://www.bad.org.au/ claiming to be www.auda.org.au in 3023A120E78.A9661
^ good domain base matches but 3rd level does not and lookup occurred
Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First and/or
second level domains do not match, no lookup of countries
^ good final url is a domain.tld not in list
Jan 24 12:59:53 efa MailScanner[30948]: Content Checks: Detected and have
disarmed phishing tags in HTML message in 3023A120E78.A9661 from
iversons at rushville.k12.in.us
I'll test some of the more elegant urls in country.domains.conf now that I
have working output.
On Sun, Jan 24, 2016 at 12:14 PM, Shawn Iverson <
iversons at rushville.k12.in.us> wrote:
> Okay so I fed a link that match and don't match country.domains.conf, via
> email to MailScanner...
>
> Result doesn't show anything out of the ordinary...
>
> Jan 24 11:56:39 efa MailScanner[17846]: Virus and Content Scanning:
> Starting
> Jan 24 11:56:39 efa MailScanner[17846]: <A> tag found in message
> 5906C120064.A9741 from iversons at rushville.k12.in.us
> Jan 24 11:56:39 efa MailScanner[17846]: HTML Img tag found in message
> 5906C120064.A9741 from iversons at rushville.k12.in.us
> Jan 24 11:56:39 efa MailScanner[17846]: Spam Checks: Starting
> Jan 24 11:56:39 efa MailScanner[17846]: Expired 1 records from the
> SpamAssassin cache
>
> I took a look at some of the code to understand the process better...
>
> ReadCountryDomainList(MailScanner::Config::Value('secondlevellist'))
> unless MailScanner::Config::IsSimpleValue('strictphishing') &&
> MailScanner::Config::Value('strictphishing')
>
> So, in my setup strict phishing is on, so this line is skipped, turning
> off to do some more testing...
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160124/8cc575fe/attachment.html>
More information about the MailScanner
mailing list