Dangerous in-line attachments
Mark Sapiro
mark at msapiro.net
Mon Dec 13 22:27:06 UTC 2021
On 12/13/21 3:25 AM, Pramod Daya via MailScanner wrote:
> No - only in phishing.bad.sites.conf and in phishing.bad.sites.custom.
>
> For good measure I cat "bit.ly" at the end of the phishing.bad.sites.conf file but it's still getting through.
There are two possibilities, but you've possibly already ruled out one.
The first is that MailScanner doesn't read phishing.bad.sites.custom
directly. It relies on the /usr/sbin/ms-update-phishing command being
run periodically by cron to prepend phishing.bad.sites.custom to
phishing.bad.sites.conf. This in turn relies on ms_cron_ps being set to
1 in /etc/MailScanner/defaults and the various hourly, daily, etc
ms-cron jobs being run by cron.
However, you put bit.ly directly in phishing.bad.sites.conf so assuming
MailScanner's children got restarted between your adding it and the
message not being disarmed, that's not the issue.
The other issue is that phishing tags are only flagged and disarmed in
HTML message parts. A bit.ly url in a plain text message or message part
will never be flagged or disarmed.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list