Need some help understanding how detecting phishing fraud works

[ovizii]

I have it turned on and phishing frauds are being highlighted.

So as an example I had this inside my logs:

Code: Select all

Jun 28 15:30:21 jacob MailScanner[18524]: <A> tag found in message E320B100BAF.A1D5A from apache@wufoo.com
Jun 28 15:30:23 jacob MailScanner[31803]: Found phishing fraud from https:/synaq-cms.s3.amazonaws.com/sites/53172c98057a5235a3000002/content_entry532753d35cedb7c21f000015/534289b6ce62af43c200006f/files/Email_Rention_Checklist_2013.pdf claiming to be www. in E320B100BAF.A1D5A
Jun 28 15:30:23 jacob MailScanner[18524]: Content Checks: Detected and have disarmed phishing tags in HTML message in E320B100BAF.A1D5A from apache@wufoo.com

That is a legitimate email btw. It looks like there is a "/" missing in the "https:/"

In the email that landed in my inbox after goi9ng through EFA the link looks like a relative link so opening the email in Gmail looks like this:

efa_03.png (45.19 KiB) Viewed 4338 times

so the link looks alright but if I click it I end up here with a dead link: https://www.google.com/synaq-cms.s3.ama ... t_2013.pdf

If I go to my EFA dashboard and view the email right there, it looks like this:

efa_04.png (52.1 KiB) Viewed 4338 times

and the link inside the email https://myefa.tld/synaq-cms.s3.amazonaw ... t_2013.pdf

So I am trying to understand:

1. What exactly triggered the phishing fraud warning?
2. Where can I see the original before the "fix" by Mailscanner?
3. Does it look like Mailscanner is messing up here or does it look like the link was broken to begin with?
4. What does this part mean: have disarmed phishing tags

[shawniverson]

I have it turned on and phishing frauds are being highlighted.

1. What exactly triggered the phishing fraud warning?
2. Where can I see the original before the "fix" by Mailscanner?
3. Does it look like Mailscanner is messing up here or does it look like the link was broken to begin with?
4. What does this part mean: have disarmed phishing tags

1. Phishing fraud is when the text in the link does not match the URL embedded in the link. i.e. says example.com but is actually example.net.
2. The original is not stored.
3. No. This is a configurable setting in /etc/MailScanner/MailScanner.conf

Code: Select all

# If a phishing fraud is detected, do you want to highlight the tag with
# a message stating that the link may be to a fraudulent web site.
# This can also be the filename of a ruleset.
Highlight Phishing Fraud = no

4. HTML tags that are typically used in phishing attacks have been removed. Again, these are configurable settings in MailScanner.

[ovizii]

Awesome explanations, thanks a lot.