Why no subject changes or higher score for this phishing email?

Wed Oct 29 03:50:48 UTC 2025

Got a piece of mail identified as ham, with no header changes. The Hidden URL’s were correctly highlighted. 

I would have expected this to put up some sort of phishing alert. Do I need to enable Disarmed Modify Subject for this?

I disabled the Disarmed Modify  Subject because it was getting added to every single message with a hidden link, seemed like, many innocent messages. 

(I have since fixed my RBL checks, and I’ve set up another email address to bypass MailScanner so’s I can get my hands on the unaltered originals)

2025-10-28T18:45:02.175284-07:00 sentry MailScanner[183011]: Found phishing fraud from https://www.prayers1.com/US/Kosciusko/863615230361694/WeeKids-Children%%27s-Ministry?e=1602972382 <https://www.prayers1.com/US/Kosciusko/863615230361694/WeeKids-Children%25%27s-Ministry?e=1602972382>  claiming to be www.facebook.com <http://www.facebook.com/>  in BC4DE84A9A.A1DD7

2025-10-28T18:45:02.243128-07:00 sentry MailScanner[182315]: Content Checks: Detected and have disarmed hidden, phishing tags in HTML message in BC4DE84A9A.A1DD7 from support at prayers1.com <mailto:support at prayers1.com> 

X-MyOrg-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,

                score=2.706, required 4, DKIM_SIGNED 0.10, DKIM_VALID -0.10,

                DMARC_NONE 0.90, HTML_MESSAGE 0.00, HTTPS_HTTP_MISMATCH 0.10,

                RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.00,

                RCVD_IN_VALIDITY_RPBL_BLOCKED 0.00,

                RCVD_IN_VALIDITY_SAFE_BLOCKED 0.00, RCVD_IN_ZEN_BLOCKED_OPENDNS 0.00,

                SPF_HELO_NONE 0.00, URIBL_BLACK 1.70, URIBL_BLOCKED 0.00,

                URIBL_DBL_BLOCKED_OPENDNS 0.00)

X-MyOrg-MailScanner-SpamScore: 2

Thanks, Betsy

Excerpts from MailScanner.conf:

(I haven’t touched the phishing*sites* files, beyond the automatic updates)

Allow Form Tags = disarm

Allow IFrame Tags = disarm

Allow Object Codebase Tags = disarm

Allow Script Tags = disarm

Allow WebBugs = yes

Also Find Numeric Phishing = yes

Content Modify Subject = start

Content Subject Text = {Dangerous Content?}

Convert Dangerous HTML To Text = no

Convert HTML To Text = no

Dangerous Content Scanning = yes

Disarmed Modify Subject = no

Disarmed Subject Text = {Disarmed}

Find Phishing Fraud = yes

Highlight Mailto Phishing = yes

Highlight Phishing Fraud = yes

Inline HTML External Warning = %report-dir%/inline.external.warning.html

Inline HTML Signature = %report-dir%/inline.sig.html

Inline HTML Warning = %report-dir%/inline.warning.html

Log Dangerous HTML Tags = no   <-- changing this to yes

Log Silent Viruses = yes

Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf

Phishing Modify Subject = yes

Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf

Phishing Subject Text = {Possible Phishing}

Quarantine Silent Viruses = no

Silent Viruses = HTML-IFrame All-Viruses

Still Deliver Silent Viruses = no

Still Deliver Silent Viruses Unmodified = no

Still Scan Silent Viruses = no

Use Stricter Phishing Net = yes

Virus Modify Subject = start

Virus Subject Text = {Virus?}

MailWatch Version: 1.2.23
Operating System Version: Ubuntu 24.04.3 LTS (Noble Numbat)
Postfix Version: 3.8.6
MailScanner Version: 5.5.3
ClamAV Version: 1.4.3
SpamAssassin Version: 4.0.0
PHP Version: 8.3.6
MySQL Version: 10.11.13-MariaDB-0ubuntu0.24.04.1
GeoIP Database Version: No database downloaded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20251028/eb7d932e/attachment.htm>