Country Domains - Test

Shawn Iverson iversons at rushville.k12.in.us
Mon Jan 25 17:39:30 UTC 2016


I may play in my fork and see what I can do for future versions.

On Sun, Jan 24, 2016 at 2:09 PM, Jerry Benton <jerry.benton at mailborder.com>
wrote:

> Yeah, I figured as much. I am going to pull those from the list. I really
> appreciate you testing this out.
>
> -
> Jerry Benton
> www.mailborder.com
> Sent from my iPhone
>
> On Jan 24, 2016, at 13:24, Shawn Iverson <iversons at rushville.k12.in.us>
> wrote:
>
> Ok found some issues with unicode characters.  Tested the 公司.cn
> <http://xn--55qx5d.cn>
> domain.  Something mangled the Chinese in the the link tags...
>
> Also, 公司.cn <http://xn--55qx5d.cn> can be represented as "xn--55qx5d.cn"
> as Punycode.  Should these be included as well?  Also is the issue that the
> text is "公司.cn <http://xn--55qx5d.cn>" but the link is "xn--55qx5d.cn",
> which technically is right, but won't match.  It appears that MailScanner
> can't handle this without some changes.
>
> Jan 24 13:12:16 efa MailScanner[30911]: Spam Checks: Starting
> Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or
> second level domains do not match, no lookup of countries
> Jan 24 13:12:18 efa MailScanner[977]: Found phishing fraud from
> http://公司.cn <http://xn--55qx5d.cn> claiming to be
> www.å▒¬å▒¸.cn in D40FA120E78.AAB9A
> Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or
> second level domains do not match, no lookup of countries
> Jan 24 13:12:18 efa MailScanner[977]: Found phishing fraud from
> http://somedomain.公司.cn <http://somedomain.xn--55qx5d.cn> claiming to be
> www.somedomain.å▒¬å▒¸.cn in D40FA120E78.AAB9A
> Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or
> second level domains do not match, no lookup of countries
> Jan 24 13:12:18 efa MailScanner[977]: Found phishing fraud from
> http://fakedomain.公司.cn/ <http://fakedomain.xn--55qx5d.cn/> claiming to
> be www.somedomain.å▒¬å▒¸.cn in D40FA120E78.AAB9A
> Jan 24 13:12:18 efa MailScanner[977]: Debug Countries List: First and/or
> second level domains do not match, no lookup of countries
> Jan 24 13:12:18 efa MailScanner[30911]: Content Checks: Detected and have
> disarmed phishing tags in HTML message in D40FA120E78.AAB9A from
> iversons at rushville.k12.in.us
>
> On Sun, Jan 24, 2016 at 1:04 PM, Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
>> This is what I see now...
>>
>> 17 from iversons at rushville.k12.in.us
>> Jan 24 12:23:36 efa MailScanner[22971]: HTML Img tag found in message
>> 154C112018C.ACA17 from iversons at rushville.k12.in.us
>> Jan 24 12:23:36 efa MailScanner[22971]: Spam Checks: Starting
>> Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from
>> http://www.auda.bad.au/ claiming to be www.auda.org.au in
>> 154C112018C.ACA17
>> Jan 24 12:23:38 efa MailScanner[24427]: Found phishing fraud from
>> http://www.auda.bad.org.au/ claiming to be www.auda.org.au in
>> 154C112018C.ACA17
>> Jan 24 12:23:38 efa MailScanner[22971]: Content Checks: Detected and have
>> disarmed phishing tags in HTML message in 154C112018C.ACA17 from
>> iversons at rushville.k12.in.us
>>
>> Doesn't really tell me how country.domains.conf is being interpreted, so
>> I added some debugging output to Message.pm...
>>
>> Jan 24 12:59:50 efa MailScanner[30948]: Spam Checks: Starting
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base
>> and 3rd level match
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: Previous
>> Match was found
>>
>> ^ good first url is real and lookup of country.domains.conf occurred and
>> matched first two levels
>>
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First
>> and/or second level domains do not match, no lookup of countries
>> Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from
>> http://www.auda.bad.au/ claiming to be www.auda.org.au in
>> 3023A120E78.A9661
>>
>> ^ good no lookup needed because second tld are not the same
>>
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: domain base
>> and 3rd level do not match
>> Jan 24 12:59:52 efa MailScanner[31111]: Found phishing fraud from
>> http://www.bad.org.au/ claiming to be www.auda.org.au in
>> 3023A120E78.A9661
>>
>> ^ good domain base matches but 3rd level does not and lookup occurred
>>
>> Jan 24 12:59:52 efa MailScanner[31111]: Debug Countries List: First
>> and/or second level domains do not match, no lookup of countries
>>
>> ^ good final url is a domain.tld not in list
>>
>> Jan 24 12:59:53 efa MailScanner[30948]: Content Checks: Detected and have
>> disarmed phishing tags in HTML message in 3023A120E78.A9661 from
>> iversons at rushville.k12.in.us
>>
>> I'll test some of the more elegant urls in country.domains.conf now that
>> I have working output.
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160125/0d6b0c0c/attachment.html>


More information about the MailScanner mailing list