Dangerous in-line attachments
Mark Sapiro
mark at msapiro.net
Wed Dec 15 17:16:43 UTC 2021
On 12/15/21 2:02 AM, Pramod Daya via MailScanner wrote:
> Thanks, Mark.
>
> Frustratingly, the bit.ly links are just not getting picked up when embeded in HTML messages.
It works for me with MailScanner 5.4.3-1
Add `bit.ly` to /etc/MailScanner/phishing.bad.sites.custom
run `sudo ms-update-phishing`
run `sudo systemctl restart mailscanner`
Send this raw message:
------------------------------------------------
To: mark at msapiro.net
From: mark at msapiro.net
Subject: A test
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="123456789"
--123456789
Content-Type: text/plain
A test with a http://bit.ly/junk URL.
--123456789
Content-Type: text/html
A test with a <a href="http://bit.ly/junk">junk</a> URL.
--123456789--
------------------------------------------------
These are logged
Dec 15 09:05:18 msapiro MailScanner[60735]: Found definite phishing
fraud from http://bit.ly/junk in 97D6F3403C0.A4591
Dec 15 09:05:18 msapiro MailScanner[58081]: Content Checks: Detected and
have disarmed phishing tags in HTML message in 97D6F3403C0.A4591 from
mark at msapiro.net
and this is the delivered message
------------------------------------------------
From mark at msapiro.net Wed Dec 15 09:05:18 2021
Return-Path: <mark at msapiro.net>
X-Original-To: mark at msapiro.net
Delivered-To: mark at msapiro.net
Received: from localhost (localhost [127.0.0.1])
by msapiro.net (Postfix) with QMQP id BFE763403C6
for <mark at msapiro.net>; Wed, 15 Dec 2021 09:05:18 -0800 (PST)
Received: from msapiro.net (localhost [127.0.0.1])
(no client certificate requested)
by msapiro.net (MailScanner Milter) with SMTP id 97D6F3403C0
for <mark at msapiro.net>; Wed, 15 Dec 2021 09:05:10 -0800 (PST)
To: mark at msapiro.net
From: mark at msapiro.net
Subject: {Disarmed} A test
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="123456789"
Message-Id: <20211215170510.97D6F3403C0 at msapiro.net>
Date: Wed, 15 Dec 2021 09:05:10 -0800 (PST)
X-msapiro-MailScanner-ID: 97D6F3403C0.A4591
X-msapiro-MailScanner: Found to be clean
X-msapiro-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=1.379, required 6, ALL_TRUSTED -1.00, NO_DNS_FOR_FROM 0.38,
PDS_TINYSUBJ_URISHRT 1.00, SHORT_SHORTNER 1.00)
X-msapiro-MailScanner-SpamScore: s
X-msapiro-MailScanner-From: mark at msapiro.net
X-Spam-Status: No
--123456789
Content-Type: text/plain
A test with a http://bit.ly/junk URL.
--123456789
Content-Type: text/html
A test with a <a href="http://bit.ly/junk"><font
color="red"><b>MailScanner has detected definite fraud in the website at
"bit.ly". Do <i>not</i> trust this website:</b></font> junk</a> URL.
--123456789--
------------------------------------------------
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list