Dangerous in-line attachments
Pramod Daya
pramod at mindspring.co.za
Thu Dec 16 16:30:12 UTC 2021
Naïve question - I tend to stick with the stable versions (5.3.4-3 now...) - anything I should be worried about by migrating to 5.4.3-1 ?
-----Original Message-----
From: MailScanner <mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info> On Behalf Of Mark Sapiro
Sent: Wednesday, 15 December 2021 19:17
To: mailscanner at lists.mailscanner.info
Subject: Re: Dangerous in-line attachments
On 12/15/21 2:02 AM, Pramod Daya via MailScanner wrote:
> Thanks, Mark.
>
> Frustratingly, the bit.ly links are just not getting picked up when embeded in HTML messages.
It works for me with MailScanner 5.4.3-1
Add `bit.ly` to /etc/MailScanner/phishing.bad.sites.custom
run `sudo ms-update-phishing`
run `sudo systemctl restart mailscanner`
Send this raw message:
------------------------------------------------
To: mark at msapiro.net
From: mark at msapiro.net
Subject: A test
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="123456789"
--123456789
Content-Type: text/plain
A test with a http://bit.ly/junk URL.
--123456789
Content-Type: text/html
A test with a <a href="http://bit.ly/junk">junk</a> URL.
--123456789--
------------------------------------------------
These are logged
Dec 15 09:05:18 msapiro MailScanner[60735]: Found definite phishing fraud from http://bit.ly/junk in 97D6F3403C0.A4591 Dec 15 09:05:18 msapiro MailScanner[58081]: Content Checks: Detected and have disarmed phishing tags in HTML message in 97D6F3403C0.A4591 from mark at msapiro.net
and this is the delivered message
------------------------------------------------
From mark at msapiro.net Wed Dec 15 09:05:18 2021
Return-Path: <mark at msapiro.net>
X-Original-To: mark at msapiro.net
Delivered-To: mark at msapiro.net
Received: from localhost (localhost [127.0.0.1])
by msapiro.net (Postfix) with QMQP id BFE763403C6
for <mark at msapiro.net>; Wed, 15 Dec 2021 09:05:18 -0800 (PST)
Received: from msapiro.net (localhost [127.0.0.1])
(no client certificate requested)
by msapiro.net (MailScanner Milter) with SMTP id 97D6F3403C0
for <mark at msapiro.net>; Wed, 15 Dec 2021 09:05:10 -0800 (PST)
To: mark at msapiro.net
From: mark at msapiro.net
Subject: {Disarmed} A test
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="123456789"
Message-Id: <20211215170510.97D6F3403C0 at msapiro.net>
Date: Wed, 15 Dec 2021 09:05:10 -0800 (PST)
X-msapiro-MailScanner-ID: 97D6F3403C0.A4591
X-msapiro-MailScanner: Found to be clean
X-msapiro-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
score=1.379, required 6, ALL_TRUSTED -1.00, NO_DNS_FOR_FROM 0.38,
PDS_TINYSUBJ_URISHRT 1.00, SHORT_SHORTNER 1.00)
X-msapiro-MailScanner-SpamScore: s
X-msapiro-MailScanner-From: mark at msapiro.net
X-Spam-Status: No
--123456789
Content-Type: text/plain
A test with a http://bit.ly/junk URL.
--123456789
Content-Type: text/html
A test with a <a href="http://bit.ly/junk"><font color="red"><b>MailScanner has detected definite fraud in the website at "bit.ly". Do <i>not</i> trust this website:</b></font> junk</a> URL.
--123456789--
------------------------------------------------
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
More information about the MailScanner
mailing list