Dangerous in-line attachments

Pramod Daya pramod at mindspring.co.za
Wed Dec 15 10:02:01 UTC 2021

Thanks, Mark.  

Frustratingly, the bit.ly links are just not getting picked up when embeded in HTML messages. 

-----Original Message-----
From: MailScanner <mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info> On Behalf Of Mark Sapiro
Sent: Tuesday, 14 December 2021 00:27
To: mailscanner at lists.mailscanner.info
Subject: Re: Dangerous in-line attachments

On 12/13/21 3:25 AM, Pramod Daya via MailScanner wrote:
> No - only in phishing.bad.sites.conf and in phishing.bad.sites.custom.
> For good measure I cat "bit.ly" at the end of the phishing.bad.sites.conf file but it's still getting through.

There are two possibilities, but you've possibly already ruled out one.

The first is that MailScanner doesn't read phishing.bad.sites.custom directly. It relies on the /usr/sbin/ms-update-phishing command being run periodically by cron to prepend phishing.bad.sites.custom to phishing.bad.sites.conf. This in turn relies on ms_cron_ps being set to
1 in /etc/MailScanner/defaults and the various hourly, daily, etc ms-cron jobs being run by cron.

However, you put bit.ly directly in phishing.bad.sites.conf so assuming MailScanner's children got restarted between your adding it and the message not being disarmed, that's not the issue.

The other issue is that phishing tags are only flagged and disarmed in HTML message parts. A bit.ly url in a plain text message or message part will never be flagged or disarmed.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

MailScanner mailing list
mailscanner at lists.mailscanner.info

More information about the MailScanner mailing list