Page 1 of 1

Some messages are being "defaced"

Posted: 13 Oct 2017 06:45
by budy
Hi,

users have recently complained, that messages have been delivered to their mailboxes which are somewhat broken. I experienced this as well on my private eFA with messages from TripAdvisor. Has anybody experienced this as well and if yes, does anyone know, what the reason is/was?

Thx,
budy

Re: Some messages are being "defaced"

Posted: 13 Oct 2017 07:14
by pdwalker
I think I may know what that is, but can you provide a screenshot of an example "defaced" message?

Re: Some messages are being "defaced"

Posted: 13 Oct 2017 14:47
by budy
Hmm… there seem to be some variants, but one has MailScanner insert a warning right into the message text like this:

Data from your account has moved into a suspended state until the card is updated or the issue is fixed. You’ll want to head over to MailScanner has detected a possible fraud attempt from "via.intercom-mail-200.com" claiming to be moz.com/billing to update those card details!

I have also appended a little screenshot…

Re: Some messages are being "defaced"

Posted: 14 Oct 2017 12:05
by shawniverson
/etc/MailScanner/MailScanner.conf

Code: Select all

# If a phishing fraud is detected, do you want to highlight the tag with
# a message stating that the link may be to a fraudulent web site.
# This can also be the filename of a ruleeset.
Highlight Phishing Fraud = no

Re: Some messages are being "defaced"

Posted: 14 Oct 2017 22:42
by SharazJek
BTW... turning that off increases your risk of falling prey to phishing scams by an exponential amount. can you users really not live with it when a URL in an email does not match up to the actual URL in the click (when it differs from what it says?)

i have users who have had the same complaint, and after i explain it, its a dead issue. i would try to leave it enabled, if you possibly can.

Re: Some messages are being "defaced"

Posted: 17 Oct 2017 01:40
by pdwalker
Apologies budy, I was away from the computer unexpectedly for a couple of days. Fortunately, shawniverson was here to help.

SharazJek,

I've had to disable this for my users. Too often, it gives false positives and would cause a panic. Also, changing the html resulted in "defaced" messages as budy described and that was making people unhappy.

So far, I'm the only one who has clicked on a bad link. :oops:

Re: Some messages are being "defaced"

Posted: 17 Oct 2017 06:29
by budy
Hi guys,

thank you for your help. I am totally aware of the risks, regarding these "masqued" links, but more often than not, automated messages from Akamai and others do contain such links and we do have a very high fluctuation of employees, which would cause in always other people filling the same complaint about such messages.

Cheers,
budy