Dangerous in-line attachments

Mark Sapiro mark at msapiro.net
Mon Dec 13 22:27:06 UTC 2021

On 12/13/21 3:25 AM, Pramod Daya via MailScanner wrote:
> No - only in phishing.bad.sites.conf and in phishing.bad.sites.custom.
> For good measure I cat "bit.ly" at the end of the phishing.bad.sites.conf file but it's still getting through.

There are two possibilities, but you've possibly already ruled out one.

The first is that MailScanner doesn't read phishing.bad.sites.custom 
directly. It relies on the /usr/sbin/ms-update-phishing command being 
run periodically by cron to prepend phishing.bad.sites.custom to 
phishing.bad.sites.conf. This in turn relies on ms_cron_ps being set to 
1 in /etc/MailScanner/defaults and the various hourly, daily, etc 
ms-cron jobs being run by cron.

However, you put bit.ly directly in phishing.bad.sites.conf so assuming 
MailScanner's children got restarted between your adding it and the 
message not being disarmed, that's not the issue.

The other issue is that phishing tags are only flagged and disarmed in 
HTML message parts. A bit.ly url in a plain text message or message part 
will never be flagged or disarmed.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list