<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Got a piece of mail identified as ham, with no header changes. The Hidden URL’s were correctly highlighted. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>I would have expected this to put up some sort of phishing alert. Do I need to enable <b>Disarmed Modify Subject</b> for this?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> I disabled the Disarmed Modify Subject because it was getting added to every single message with a hidden link, seemed like, many innocent messages. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>(I have since fixed my RBL checks, and I’ve set up another email address to bypass MailScanner so’s I can get my hands on the unaltered originals)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>2025-10-28T18:45:02.175284-07:00 sentry MailScanner[183011]: Found phishing fraud from <a href="https://www.prayers1.com/US/Kosciusko/863615230361694/WeeKids-Children%25%27s-Ministry?e=1602972382" target="_blank">https://www.prayers1.com/US/Kosciusko/863615230361694/WeeKids-Children%%27s-Ministry?e=1602972382</a> claiming to be <a href="http://www.facebook.com/" target="_blank">www.facebook.com</a> in BC4DE84A9A.A1DD7<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>2025-10-28T18:45:02.243128-07:00 sentry MailScanner[182315]: Content Checks: Detected and have disarmed hidden, phishing tags in HTML message in BC4DE84A9A.A1DD7 from <a href="mailto:support@prayers1.com">support@prayers1.com</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>X-MyOrg-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> score=2.706, required 4, DKIM_SIGNED 0.10, DKIM_VALID -0.10,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> DMARC_NONE 0.90, HTML_MESSAGE 0.00, HTTPS_HTTP_MISMATCH 0.10,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.00,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> RCVD_IN_VALIDITY_RPBL_BLOCKED 0.00,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> RCVD_IN_VALIDITY_SAFE_BLOCKED 0.00, RCVD_IN_ZEN_BLOCKED_OPENDNS 0.00,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> SPF_HELO_NONE 0.00, URIBL_BLACK 1.70, URIBL_BLOCKED 0.00,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'> URIBL_DBL_BLOCKED_OPENDNS 0.00)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>X-MyOrg-MailScanner-SpamScore: 2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thanks, Betsy<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Excerpts from MailScanner.conf:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>(I haven’t touched the phishing*sites* files, beyond the automatic updates)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Allow Form Tags = disarm<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Allow IFrame Tags = disarm<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Allow Object Codebase Tags = disarm<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Allow Script Tags = disarm<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Allow WebBugs = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Also Find Numeric Phishing = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Content Modify Subject = start<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Content Subject Text = {Dangerous Content?}<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Convert Dangerous HTML To Text = no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Convert HTML To Text = no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Dangerous Content Scanning = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Disarmed Modify Subject = no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Disarmed Subject Text = {Disarmed}<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Find Phishing Fraud = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Highlight Mailto Phishing = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Highlight Phishing Fraud = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Inline HTML External Warning = %report-dir%/inline.external.warning.html<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Inline HTML Signature = %report-dir%/inline.sig.html<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Inline HTML Warning = %report-dir%/inline.warning.html<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Log Dangerous HTML Tags = no </span><span style='font-size:11.0pt;font-family:Wingdings'>ß</span><span style='font-size:11.0pt'> changing this to yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Log Silent Viruses = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Phishing Modify Subject = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Phishing Subject Text = {Possible Phishing}<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Quarantine Silent Viruses = no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Silent Viruses = HTML-IFrame All-Viruses<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Still Deliver Silent Viruses = no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Still Deliver Silent Viruses Unmodified = no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Still Scan Silent Viruses = no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Use Stricter Phishing Net = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Virus Modify Subject = start<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Virus Subject Text = {Virus?}<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>MailWatch Version: 1.2.23<br>Operating System Version: Ubuntu 24.04.3 LTS (Noble Numbat)<br>Postfix Version: 3.8.6<br>MailScanner Version: 5.5.3<br>ClamAV Version: 1.4.3<br>SpamAssassin Version: 4.0.0<br>PHP Version: 8.3.6<br>MySQL Version: 10.11.13-MariaDB-0ubuntu0.24.04.1<br>GeoIP Database Version: No database downloaded<o:p></o:p></span></p></div></body></html>