Some messages are being "defaced"

Report bugs and workarounds
Post Reply
budy
Posts: 74
Joined: 10 Sep 2017 07:33

Some messages are being "defaced"

Post by budy » 13 Oct 2017 06:45

Hi,

users have recently complained, that messages have been delivered to their mailboxes which are somewhat broken. I experienced this as well on my private eFA with messages from TripAdvisor. Has anybody experienced this as well and if yes, does anyone know, what the reason is/was?

Thx,
budy

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: Some messages are being "defaced"

Post by pdwalker » 13 Oct 2017 07:14

I think I may know what that is, but can you provide a screenshot of an example "defaced" message?

budy
Posts: 74
Joined: 10 Sep 2017 07:33

Re: Some messages are being "defaced"

Post by budy » 13 Oct 2017 14:47

Hmm… there seem to be some variants, but one has MailScanner insert a warning right into the message text like this:

Data from your account has moved into a suspended state until the card is updated or the issue is fixed. You’ll want to head over to MailScanner has detected a possible fraud attempt from "via.intercom-mail-200.com" claiming to be moz.com/billing to update those card details!

I have also appended a little screenshot…
Attachments
Bildschirmfoto 2017-10-13 um 16.46.39.png
Bildschirmfoto 2017-10-13 um 16.46.39.png (44.9 KiB) Viewed 1876 times

User avatar
shawniverson
Posts: 2803
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Some messages are being "defaced"

Post by shawniverson » 14 Oct 2017 12:05

/etc/MailScanner/MailScanner.conf

Code: Select all

# If a phishing fraud is detected, do you want to highlight the tag with
# a message stating that the link may be to a fraudulent web site.
# This can also be the filename of a ruleeset.
Highlight Phishing Fraud = no
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

SharazJek
Posts: 64
Joined: 01 Sep 2016 05:15
Location: Dallas, TX

Re: Some messages are being "defaced"

Post by SharazJek » 14 Oct 2017 22:42

BTW... turning that off increases your risk of falling prey to phishing scams by an exponential amount. can you users really not live with it when a URL in an email does not match up to the actual URL in the click (when it differs from what it says?)

i have users who have had the same complaint, and after i explain it, its a dead issue. i would try to leave it enabled, if you possibly can.

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: Some messages are being "defaced"

Post by pdwalker » 17 Oct 2017 01:40

Apologies budy, I was away from the computer unexpectedly for a couple of days. Fortunately, shawniverson was here to help.

SharazJek,

I've had to disable this for my users. Too often, it gives false positives and would cause a panic. Also, changing the html resulted in "defaced" messages as budy described and that was making people unhappy.

So far, I'm the only one who has clicked on a bad link. :oops:

budy
Posts: 74
Joined: 10 Sep 2017 07:33

Re: Some messages are being "defaced"

Post by budy » 17 Oct 2017 06:29

Hi guys,

thank you for your help. I am totally aware of the risks, regarding these "masqued" links, but more often than not, automated messages from Akamai and others do contain such links and we do have a very high fluctuation of employees, which would cause in always other people filling the same complaint about such messages.

Cheers,
budy

Post Reply