Country Domains - Test

Jerry Benton jerry.benton at mailborder.com
Sun Jan 24 19:09:54 UTC 2016


Yeah, I figured as much. I am going to pull those from the list. I really appreciate you testing this out.

-
Jerry Benton
www.mailborder.com
Sent from my iPhone

> On Jan 24, 2016, at 13:24, Shawn Iverson <iversons at rushville.k12.in.us> wrote:
> 
> Ok found some issues with unicode characters.  Tested the 公司.cn
> domain.  Something mangled the Chinese in the the link tags...
> 
> Also, 公司.cn can be represented as "xn--55qx5d.cn" as Punycode.  Should these be included as well?  Also is the issue that the text is "公司.cn" but the link is "xn--55qx5d.cn", which technically is right, but won't match.  It appears that MailScanner can't handle this without some changes.
> 
> Jan 24 13:12:16 efa MailScanner[30911]: Spam Checks: Starting
> Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or second level domains do not match, no lookup of countries
> Jan 24 13:12:18 efa MailScanner[977]: Found phishing fraud from http://公司.cn claiming to be www.å▒¬å▒¸.cn in D40FA120E78.AAB9A
> Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or second level domains do not match, no lookup of countries
> Jan 24 13:12:18 efa MailScanner[977]: Found phishing fraud from http://somedomain.公司.cn claiming to be www.somedomain.å▒¬å▒¸.cn in D40FA120E78.AAB9A
> Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or second level domains do not match, no lookup of countries
> Jan 24 13:12:18 efa MailScanner[977]: Found phishing fraud from http://fakedomain.公司.cn/ claiming to be www.somedomain.å▒¬å▒¸.cn in D40FA120E78.AAB9A
> Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or second level domains do not match, no lookup of countries
> Jan 24 13:12:18 efa MailScanner[30911]: Content Checks: Detected and have disarmed phishing tags in HTML message in D40FA120E78.AAB9A from iversons at rushville.k12.in.us
> 
>> On Sun, Jan 24, 2016 at 1:04 PM, Shawn Iverson <iversons at rushville.k12.in.us> wrote:
>> This is what I see now...
>> 
>> 17 from iversons at rushville.k12.in.us
>> Jan 24 12:23:36 efa MailScanner[22971]: HTML Img tag found in message 154C112018C.ACA17 from iversons at rushville.k12.in.us
>> Jan 24 12:23:36 efa MailScanner[22971]: Spam Checks: Starting
>> Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from http://www.auda.bad.au/ claiming to be www.auda.org.au in 154C112018C.ACA17
>> Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from http://www.auda.bad.org.au/ claiming to be www.auda.org.au in 154C112018C.ACA17
>> Jan 24 12:23:38 efa MailScanner[22971]: Content Checks: Detected and have disarmed phishing tags in HTML message in 154C112018C.ACA17 from iversons at rushville.k12.in.us
>> 
>> Doesn't really tell me how country.domains.conf is being interpreted, so I added some debugging output to Message.pm...
>> 
>> Jan 24 12:59:50 efa MailScanner[30948]: Spam Checks: Starting
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base and 3rd level match
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: Previous Match was found
>> 
>> ^ good first url is real and lookup of country.domains.conf occurred and matched first two levels
>> 
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First and/or second level domains do not match, no lookup of countries
>> Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from http://www.auda.bad.au/ claiming to be www.auda.org.au in 3023A120E78.A9661
>> 
>> ^ good no lookup needed because second tld are not the same
>> 
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base and 3rd level do not match
>> Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from http://www.bad.org.au/ claiming to be www.auda.org.au in 3023A120E78.A9661
>> 
>> ^ good domain base matches but 3rd level does not and lookup occurred
>> 
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First and/or second level domains do not match, no lookup of countries
>> 
>> ^ good final url is a domain.tld not in list
>> 
>> Jan 24 12:59:53 efa MailScanner[30948]: Content Checks: Detected and have disarmed phishing tags in HTML message in 3023A120E78.A9661 from iversons at rushville.k12.in.us
>> 
>> I'll test some of the more elegant urls in country.domains.conf now that I have working output.
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160124/465d2f8e/attachment-0001.html>


More information about the MailScanner mailing list