Country Domains - Test

Jerry Benton jerry.benton at mailborder.com
Sun Jan 24 18:08:47 UTC 2016


Try one of those Chinese domains. Yes, seriously.

-
Jerry Benton
www.mailborder.com
Sent from my iPhone

> On Jan 24, 2016, at 13:04, Shawn Iverson <iversons at rushville.k12.in.us> wrote:
> 
> This is what I see now...
> 
> 17 from iversons at rushville.k12.in.us
> Jan 24 12:23:36 efa MailScanner[22971]: HTML Img tag found in message 154C112018C.ACA17 from iversons at rushville.k12.in.us
> Jan 24 12:23:36 efa MailScanner[22971]: Spam Checks: Starting
> Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from http://www.auda.bad.au/ claiming to be www.auda.org.au in 154C112018C.ACA17
> Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from http://www.auda.bad.org.au/ claiming to be www.auda.org.au in 154C112018C.ACA17
> Jan 24 12:23:38 efa MailScanner[22971]: Content Checks: Detected and have disarmed phishing tags in HTML message in 154C112018C.ACA17 from iversons at rushville.k12.in.us
> 
> Doesn't really tell me how country.domains.conf is being interpreted, so I added some debugging output to Message.pm...
> 
> Jan 24 12:59:50 efa MailScanner[30948]: Spam Checks: Starting
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base and 3rd level match
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: Previous Match was found
> 
> ^ good first url is real and lookup of country.domains.conf occurred and matched first two levels
> 
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First and/or second level domains do not match, no lookup of countries
> Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from http://www.auda.bad.au/ claiming to be www.auda.org.au in 3023A120E78.A9661
> 
> ^ good no lookup needed because second tld are not the same
> 
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base and 3rd level do not match
> Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from http://www.bad.org.au/ claiming to be www.auda.org.au in 3023A120E78.A9661
> 
> ^ good domain base matches but 3rd level does not and lookup occurred
> 
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First and/or second level domains do not match, no lookup of countries
> 
> ^ good final url is a domain.tld not in list
> 
> Jan 24 12:59:53 efa MailScanner[30948]: Content Checks: Detected and have disarmed phishing tags in HTML message in 3023A120E78.A9661 from iversons at rushville.k12.in.us
> 
> I'll test some of the more elegant urls in country.domains.conf now that I have working output.
> 
>> On Sun, Jan 24, 2016 at 12:14 PM, Shawn Iverson <iversons at rushville.k12.in.us> wrote:
> 
>> Okay so I fed a link that match and don't match country.domains.conf, via email to MailScanner...
>> 
>> Result doesn't show anything out of the ordinary...
>> 
>> Jan 24 11:56:39 efa MailScanner[17846]: Virus and Content Scanning: Starting
>> Jan 24 11:56:39 efa MailScanner[17846]: <A> tag found in message 5906C120064.A9741 from iversons at rushville.k12.in.us
>> Jan 24 11:56:39 efa MailScanner[17846]: HTML Img tag found in message 5906C120064.A9741 from iversons at rushville.k12.in.us
>> Jan 24 11:56:39 efa MailScanner[17846]: Spam Checks: Starting
>> Jan 24 11:56:39 efa MailScanner[17846]: Expired 1 records from the SpamAssassin cache
>> 
>> I took a look at some of the code to understand the process better...
>> 
>>  ReadCountryDomainList(MailScanner::Config::Value('secondlevellist'))
>>     unless MailScanner::Config::IsSimpleValue('strictphishing') &&
>>            MailScanner::Config::Value('strictphishing')
>> 
>> So, in my setup strict phishing is on, so this line is skipped, turning off to do some more testing...
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160124/18606729/attachment.html>


More information about the MailScanner mailing list