Country Domains - Test

Shawn Iverson iversons at rushville.k12.in.us
Sun Jan 24 18:24:22 UTC 2016 

Ok found some issues with unicode characters.  Tested the 公司.cn
<http://xn--55qx5d.cn>
domain.  Something mangled the Chinese in the the link tags...

Also, 公司.cn <http://xn--55qx5d.cn> can be represented as "xn--55qx5d.cn" as
Punycode.  Should these be included as well?  Also is the issue that the
text is "公司.cn <http://xn--55qx5d.cn>" but the link is "xn--55qx5d.cn",
which technically is right, but won't match.  It appears that MailScanner
can't handle this without some changes.

Jan 24 13:12:16 efa MailScanner[30911]: Spam Checks: Starting
Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or
second level domains do not match, no lookup of countries
Jan 24 13:12:18 efa MailScanner[977]: Found phishing fraud from http://公司.cn
<http://xn--55qx5d.cn> claiming to be www.å▒¬å▒¸.cn
in D40FA120E78.AAB9A
Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or
second level domains do not match, no lookup of countries
Jan 24 13:12:18 efa MailScanner[977]: Found phishing fraud from
http://somedomain.公司.cn <http://somedomain.xn--55qx5d.cn> claiming to be
www.somedomain.å▒¬å▒¸.cn in D40FA120E78.AAB9A
Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or
second level domains do not match, no lookup of countries
Jan 24 13:12:18 efa MailScanner[977]: Found phishing fraud from
http://fakedomain.公司.cn/ <http://fakedomain.xn--55qx5d.cn/> claiming to be
www.somedomain.å▒¬å▒¸.cn in D40FA120E78.AAB9A
Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or
second level domains do not match, no lookup of countries
Jan 24 13:12:18 efa MailScanner[30911]: Content Checks: Detected and have
disarmed phishing tags in HTML message in D40FA120E78.AAB9A from
iversons at rushville.k12.in.us

On Sun, Jan 24, 2016 at 1:04 PM, Shawn Iverson <iversons at rushville.k12.in.us
> wrote:

> This is what I see now...
>
> 17 from iversons at rushville.k12.in.us
> Jan 24 12:23:36 efa MailScanner[22971]: HTML Img tag found in message
> 154C112018C.ACA17 from iversons at rushville.k12.in.us
> Jan 24 12:23:36 efa MailScanner[22971]: Spam Checks: Starting
> Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from
> http://www.auda.bad.au/ claiming to be www.auda.org.au in
> 154C112018C.ACA17
> Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from
> http://www.auda.bad.org.au/ claiming to be www.auda.org.au in
> 154C112018C.ACA17
> Jan 24 12:23:38 efa MailScanner[22971]: Content Checks: Detected and have
> disarmed phishing tags in HTML message in 154C112018C.ACA17 from
> iversons at rushville.k12.in.us
>
> Doesn't really tell me how country.domains.conf is being interpreted, so I
> added some debugging output to Message.pm...
>
> Jan 24 12:59:50 efa MailScanner[30948]: Spam Checks: Starting
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base
> and 3rd level match
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: Previous
> Match was found
>
> ^ good first url is real and lookup of country.domains.conf occurred and
> matched first two levels
>
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First and/or
> second level domains do not match, no lookup of countries
> Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from
> http://www.auda.bad.au/ claiming to be www.auda.org.au in
> 3023A120E78.A9661
>
> ^ good no lookup needed because second tld are not the same
>
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base
> and 3rd level do not match
> Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from
> http://www.bad.org.au/ claiming to be www.auda.org.au in 3023A120E78.A9661
>
> ^ good domain base matches but 3rd level does not and lookup occurred
>
> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First and/or
> second level domains do not match, no lookup of countries
>
> ^ good final url is a domain.tld not in list
>
> Jan 24 12:59:53 efa MailScanner[30948]: Content Checks: Detected and have
> disarmed phishing tags in HTML message in 3023A120E78.A9661 from
> iversons at rushville.k12.in.us
>
> I'll test some of the more elegant urls in country.domains.conf now that I
> have working output.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160124/3827edbd/attachment.html>

More information about the MailScanner mailing list