Dangerous in-line attachments
mailscanner at barendse.to
mailscanner at barendse.to
Thu Dec 30 15:58:21 UTC 2021
Is "ms-update-phishing" run automagically on a new installation? Or should
I add an entry to crontab to run it?
My /etc/MailScanner/phishing.bad.sites.conf is updated I think as it states
# Built by Mailborder Systems
# Build Time: Thu, 30 Dec 21 00:15:02 -0500
But the erroneous bit.ly. is still there
Thanks!
On Wed, 15 Dec 2021, Mark Sapiro wrote:
> On 12/15/21 2:02 AM, Pramod Daya via MailScanner wrote:
>> Thanks, Mark.
>>
>> Frustratingly, the bit.ly links are just not getting picked up when embeded
>> in HTML messages.
>
> It works for me with MailScanner 5.4.3-1
>
> Add `bit.ly` to /etc/MailScanner/phishing.bad.sites.custom
> run `sudo ms-update-phishing`
> run `sudo systemctl restart mailscanner`
>
> Send this raw message:
> ------------------------------------------------
> To: mark at msapiro.net
> From: mark at msapiro.net
> Subject: A test
> MIME-Version: 1.0
> Content-Type: multipart/alternative; boundary="123456789"
>
> --123456789
> Content-Type: text/plain
>
> A test with a http://bit.ly/junk URL.
> --123456789
> Content-Type: text/html
>
> A test with a <a href="http://bit.ly/junk">junk</a> URL.
> --123456789--
> ------------------------------------------------
>
> These are logged
> Dec 15 09:05:18 msapiro MailScanner[60735]: Found definite phishing fraud
> from http://bit.ly/junk in 97D6F3403C0.A4591
> Dec 15 09:05:18 msapiro MailScanner[58081]: Content Checks: Detected and have
> disarmed phishing tags in HTML message in 97D6F3403C0.A4591 from
> mark at msapiro.net
>
>
> and this is the delivered message
> ------------------------------------------------
> From mark at msapiro.net Wed Dec 15 09:05:18 2021
> Return-Path: <mark at msapiro.net>
> X-Original-To: mark at msapiro.net
> Delivered-To: mark at msapiro.net
> Received: from localhost (localhost [127.0.0.1])
> by msapiro.net (Postfix) with QMQP id BFE763403C6
> for <mark at msapiro.net>; Wed, 15 Dec 2021 09:05:18 -0800 (PST)
> Received: from msapiro.net (localhost [127.0.0.1])
> (no client certificate requested)
> by msapiro.net (MailScanner Milter) with SMTP id 97D6F3403C0
> for <mark at msapiro.net>; Wed, 15 Dec 2021 09:05:10 -0800 (PST)
> To: mark at msapiro.net
> From: mark at msapiro.net
> Subject: {Disarmed} A test
> MIME-Version: 1.0
> Content-Type: multipart/alternative; boundary="123456789"
> Message-Id: <20211215170510.97D6F3403C0 at msapiro.net>
> Date: Wed, 15 Dec 2021 09:05:10 -0800 (PST)
> X-msapiro-MailScanner-ID: 97D6F3403C0.A4591
> X-msapiro-MailScanner: Found to be clean
> X-msapiro-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
> score=1.379, required 6, ALL_TRUSTED -1.00, NO_DNS_FOR_FROM 0.38,
> PDS_TINYSUBJ_URISHRT 1.00, SHORT_SHORTNER 1.00)
> X-msapiro-MailScanner-SpamScore: s
> X-msapiro-MailScanner-From: mark at msapiro.net
> X-Spam-Status: No
>
> --123456789
> Content-Type: text/plain
>
> A test with a http://bit.ly/junk URL.
> --123456789
> Content-Type: text/html
>
> A test with a <a href="http://bit.ly/junk"><font color="red"><b>MailScanner
> has detected definite fraud in the website at "bit.ly". Do <i>not</i> trust
> this website:</b></font> junk</a> URL.
> --123456789--
> ------------------------------------------------
>
>
> --
> Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
> San Francisco Bay Area, California better use your sense - B. Dylan
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
More information about the MailScanner
mailing list