MailScanner not working properly

[bostjanc]

Hi guys.
Using EFA (latest version).
MailScanner is not inspecting URL's ok in docs.google.com case.

If I sent this link to a user which is behind EFA, mailscanner complaints about being fraud:
https://docs.google.com/spreadsheets/d/ ... sp=sharing

but it seems irrasonable to do that.
We have tried with changing mailscanner conf file settings:
We have changed "Use Stricter phishing net" to NO, but still hyperlinks with docs.google.com are being treated by mailscanner a potentially FRAUD.

Is it a bug or is it a feature?

MailScanner has detected definite fraud in the website at "docs.google.com". Do not trust this website: https://docs.google.com/spreadsheets/d/ ... sp=sharing

Thanks, with best regards

[ovizii]

well, if you click the link, where does it take you?

[bostjanc]

Hi.
Thank you for your reply.

If I click on link it takes me to:

https://docs.google.com/spreadsheets/d/ ... edit#gid=0

But it's the same even if I sent this hyperlink in the message, mail scanner will "false-positive" complain again.

MailScanner has detected definite fraud in the website at "docs.google.com". Do not trust this website: https://docs.google.com/spreadsheets/d/ ... edit#gid=0

[bostjanc]

anyone please help

[ovizii]

I can't help you much except show you what Mailscanner considers phishing:

https://www.mailscanner.info/MailScanne ... .html#Find Phishing Fraud
https://www.mailscanner.info/MailScanne ... x.html#Use Stricter Phishing Net

maybe add docs.google.com to the safe domains? => https://www.mailscanner.info/MailScanne ... l#Phishing Safe Sites File

apart from that the only reason I can think of this to happen is if you are sending shortened links? aka goo.gl/123 which then redirect to docs.google.com or links where the link text is a different URL than the actual link?

[bostjanc]

Hi there.
Thank you for your reply.
But in this case the link text and the URL are same.
Why is then this considered as fraud if the text and URL are the same?
adding googledocs to trusted domain can be a nasty (from security perspective) workaround...
With best regards

[ovizii]

I've emailed you asking you to send me an email with that link to see what my EFA appliance makes of it.

[bostjanc]

Thanks for the email.
message was sent.
With best regards

[ovizii]

So I had the exact same results:

MailScanner has detected definite fraud in the website at "docs.google.com". Do not trust this website: https://docs.google.com/spreadsheets/d/ ... edit#gid=0

but the mistery is solved. Looking into: /etc/MailScanner/phishing.bad.sites.conf and I see: docs.google.com

This is a bit of a concern, any official way to solve this?

[bostjanc]

Nice to found the root of the problem...
So what are the best practices regarding that?
With best regards

[ovizii]

as a workaround, I'd delete the url in there but it seems its being updated daily.

Not sure where to address this, some official MailScanner forum maybe?

[DaN]

https://github.com/MailScanner/v5/searc ... sites.conf

You could try /etc/MailScanner/phishing.safe.sites.conf, oh a moment...

it's in there

with a *.google.com

you could try to write docs.google.com to /etc/MailScanner/phishing.safe.sites.conf and see who's winning

[bostjanc]

Maybe deleting that line with crontab

[ovizii]

I read somewhere that BAD trumps SAFE.
So manually deleting from BAD is the way to go.

couldn't find anything via Google as to why its in there in the first place. seems there was a wave of phishing attacks in 2014 but nothing current...

[bostjanc]

I've read some "same articles" that google went "wild" in the past (with phishing)

[bostjanc]

For the conclusion, so what is the best approach for fix this?
With best regards

[bostjanc]

FYI
Posted my question also on mailscanner forum:
https://forum.configserver.com/viewtopi ... =19&t=9696

[bostjanc]

It wasn't the "right forum".
Tried my luck also here:
http://forum.mailcleaner.org/viewtopic.php?f=12&t=2400

[ovizii]

I think the right place would be going to https://www.mailscanner.info/ then checking under SUPPORT )
You can either use the mailing list: http://lists.mailscanner.info/listinfo/mailscanner
(or possibly the issue tracker: https://github.com/MailScanner/v5/issues=

[bostjanc]

Thanks for the hint.
I have submitted the issue:
https://github.com/MailScanner/v5/issues/14

[jbenton]

I love the title of this post.

Add your custom edits to the .custom file for each respective list. The build script merges the values. If your site is in the safe sites, the bad sites will not fire if the same host (domain) is present in both files. Wildcards do not work and from a security standpoint would be a bad idea anyway. If you are using MailScanner v4, then you need to update to MailScanner v5.

Read this to get a general idea of how the phishing sites is built: http://phishing.mailscanner.info/

Read this to get a general idea of how the safe sites is built: http://phishing.mailscanner.info/update_phishing_sites

Read line 7315: https://github.com/MailScanner/v5/blob/ ... Message.pm


Posting bug reports on github is for ... well .... bugs. If you have a MailScanner question, please use the MailScanner mailing list.

Jerry Benton

[shawniverson]

Milestone 3.0.1.2 Status (includes MailScanner v5):

https://github.com/E-F-A/v3/milestone/15

I'll try to wrap up commits this weekend and get this out to beta.

[bostjanc]

thanks. keep up the good work!

[bostjanc]

shawniverson any news on new build yet?
with best regards

[shawniverson]

in beta testing now

https://github.com/E-F-A/v3/blob/3.0.1.2-beta/TESTPLAN