efa-project.org

... DOS_BODY_MON,__DOS_BODY_TUE,__DOS_BODY_WED,__DOS_HAS_ANY_URI,__DOS_LINK,__DOS_RCVD_WED,__DOS_REF_TODAY,__E_LIKE_LETTER(320),__FILL_THIS_FORM_FRAUD_PHISH1,__FROM_FULL_NAME,__FROM_WORDY,__GB_FAKE_RF,__GB_TO_ADDR,__HAS_ANY_EMAIL,__HAS_ANY_URI,__HAS_DATE,__HAS_DKIM_SIGHD,__HAS_FROM,__HAS_HREF(23 ...

Highlight Phishing Fraud = yes, Highlight Hidden URLs = yes and Highlight Mailto Phishing = yes makes most of newsletters or orderconfirmations unreadable for the user as there are many links inside.

Is it possible to just add ONE notification at the beginning of the message like "Careful ...

Hi,

I am getting false positives with bad URL for mailto: address links. An example:

MailScanner has detected a possible fraud attempt from "domain.com" claiming to be mailto:user@domain.com

The following was added to /etc/MailScanner/phishing.safe.sites.conf:

mailto:*
*.domain.com

This did ...

Hi,

I am getting false positives with bad URL for mailto: address links. An example:

MailScanner has detected a possible fraud attempt from "domain.com" claiming to be mailto:user@domain.com

The following was added to /etc/MailScanner/phishing.safe.sites.conf:

mailto:*
*.domain.com

This did not ...

... SPRM
Feb 4 11:37:25.315 [1430036] dbg: replacetags: replaced __YOUR_WEBCAM
Feb 4 11:37:25.316 [1430036] dbg: replacetags: replaced __FILL_THIS_FORM_FRAUD_PHISH1
Feb 4 11:37:25.331 [1430036] dbg: replacetags: replaced __PAY_ME
Feb 4 11:37:25.332 [1430036] dbg: replacetags: replaced SUBJECT_FUZZY_PENIS ...

... postfix/smtpd[32244]: disconnect from unknown[192.168.10.50] ehlo=1 quit=1 commands=2
Jun 12 15:06:35 mailgtw MailScanner[32437]: Found phishing fraud from https://www.covidopstart.nl/c-19/nl-NL/home?utm_source=handtekening&utm_medium=e-mail&utm_campaign=veenman claiming to be www.veenman.nl in ...

... contains embedded URL's, one for my email address and the other to my web site. These are both getting flagged in my outbound as "potential fraud" and showing to the recipients as such.

I tried adding my domain into "phishing.safe.sites.conf" but they still get flagged... stopped and restart ...

Checkout the "Highlight Phishing Fraud" option in /etc/MailScanner/MailScanner.conf

eFA 4.0.1:
In the field "From" usually when there is a "thread", mailscanner detects fraud attempt.
How can I get rid of it? -

"...From: Sender Name [MailScanner has detected a possible fraud attempt from "domain.com" claiming to be mailto:name@domain.com]

Note.: sometime, it shows also even if ...

... dir%/toexternal_contentscanning.rules
Allow Partial Messages = no
Allow External Message Bodies = %rules-dir%/toexternal_bodies.rules
Find Phishing Fraud = yes
Also Find Numeric Phishing = %etc-dir%/numeric.phishing.rules
Use Stricter Phishing Net = yes
Highlight Phishing Fraud = yes
Highlight Hidden ...

... MTA based solutions, for several reasons that i will not list here.
Since mailscanner already does something similar (more or less) with "phishing fraud detection", where URLs got analyzed and plain text eventually added to mail, i thought that an higher level solution than postfix based rewrite ...

I must re-visit this issue, because it has become a problem with the insane amount of scam/fraud messages coming through.

I took a deeper look and have determined that the web interface is working properly. The information has been populated incorrectly into the maillog table in the mailscanner ...

Found the solution / viewtopic.php?f=14&t=530&hilit=fraud

Good day all, i am getting this notification at the bottom of my email "Mailscanner has detected a possible fraud attempt from "<my local ip address>" any ideas

... in here to mitigate the problem that the global "bad" list lists onedrive.live.com and play.google.com by listing them inside phishing.safe.sites.custom - and yet even after restarting Mailscanner, these lists still get marked as phishing fraud.

Did anyone succeed and can explain how this works?

Thank you, that fixed these faulty entries.
Now these FQDNs are correctly marked as definitive fraud.

Thanks for the fast fix.

... entries go like this:
bad.url.com

But some have ",http:" attached:
bad.url.com,http:

This seems to make the entry invalid as the definitive fraud is not correctly marked as such.
It is only marked as possible fraud, but when it is in this file it should be definitive.

Even the current online ...

... Dangerous Content Scanning /etc/MailScanner/rules/content.scanning.rules
Allow Partial Messages no
Allow External Message Bodies no
Find Phishing Fraud yes
Also Find Numeric Phishing yes
Use Stricter Phishing Net yes
Highlight Phishing Fraud yes
Phishing Safe Sites File /etc/MailScanner/phishing ...

... outlook client https://www.extendoffice.com/documents/outlook/1346-outlook-attachment-in-body-of-email.html)
c) Mailscanner detected a possible fraud: please check these docs and then adapt your Mailscanner config:
https://www.mailscanner.info/MailScanner.conf.index.html#Find Phishing Fraud ...

/etc/MailScanner/MailScanner.conf

... has moved into a suspended state until the card is updated or the issue is fixed. You’ll want to head over to MailScanner has detected a possible fraud attempt from "via.intercom-mail-200.com" claiming to be moz.com/billing to update those card details!

I have also appended a little screenshot…

Hi swaniverson.
1st of all thank you for your reply.
I had that setting "Use Stricer Phishing Net" already set on NO.
I have just figured out where I had made "a noobish mistake".
Before editing /etc/MailScanner/MailScanner.conf I made a dumb copy:
cp /etc/MailScanner/MailScanner.conf /etc ...

Here's another setting, tried this one?

service mailscanner reload also does not change this behavour, hm ran out of ideas...
We are on latest 3.0.2.3 version. Is it a bug?

Another thing, if I change also this settings in MailScanner.conf:
(from yes to no): Highlight Phishing Fraud = no
it does not reflect, because it's still higlights it, even after doing service mailscanner restart.
strange.