Closed weazil closed 4 years ago
Can you post an example of a mail source code where it the warning is missing?
I took out email addresses and phone # but thats just 1 I have several like i said it appears to be the only it injects the warning on is the one its disarming
`Return-Path: --- Received: from us-smtp-delivery-126.mimecast.com (us-smtp-delivery-126.mimecast.com [216.205.24.126]) by hermes.southern-air.com (8.14.7/8.14.7) with ESMTP id xACGCbX7008831 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK) for Tue, 12 Nov 2019 11:12:43 -0500 Received: from IDC-EXCHHT01.driveralliant.com (63.241.24.153 [63.241.24.153]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-221-8_eyPx7xO-WNyGEgZ6L3gQ-14; Tue, 12 Nov 2019 11:12:35 -0500 From: --- To: ---- Subject: Test Thread-Topic: Test Thread-Index: AdWZc+le9TpDtDlzTp+HiYICKCiC8Q== Date: Tue, 12 Nov 2019 16:11:59 +0000 Message-ID: ---- Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-exclaimer-md-config: d0d519bf-d9fd-4064-9e38-e794ce14b114 Content-ID: ---- MIME-Version: 1.0 X-MC-Unique: 8_eyPx7xO-WNyGEgZ6L3gQ-14 X-Mimecast-Spam-Score: 0 Content-Type: text/html; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable X-southernair-MailScanner-Information: Please contact the ISP for more information X-southernair-MailScanner-ID: xACGCbX7008831 X-southernair-MailScanner: Found to be clean X-southernair-MailScanner-From: --- X-Spam-Flag: No
=93Going beyond merely communicatin=
g to =91connecting=92 with our clients=94
`
@weazil Flagging this as an unconfirmed bug and will look at it asap. I'll switch to confirmed once I check the logic. In the meantime can you post your phishing settings you currently have in use for me?
Find Phishing Fraud = yes Highlight Phishing Fraud = yes Highlight Hidden URLs = no Highlight Mailto Phishing = yes Also Find Numeric Phishing = %rules-dir%/numeric.phishing.rules numeric.phishing.rules From: 18.215.202.130 no From: ponos.southern-air.com no FromOrTo: default yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Modify Subject = yes Phishing Subject Text = {Fraud?}
But i've never seen a subject tagged as Fraud.. i've only ever seen Disarm and Spam
Just to make sure you mean the correct thing:
MailScanner has detected a possible fraud attempt from
is used if an target uri of a link in a mail does not match the text that is displayed for it eg
<a href="mailto:user@example.com>something@otherdomain.com</a>
. This is added inline in the middle of a mail where that flagged link is.
This is independent of the External Message Warning (configed via External Message Warning = %rules-dir%/external.message.rules
) which will flag as Warning: This message originated from outside the organization.
(appended to end of mail) and flags mails not from/to a domain configured in that config file..
Yes I understand they are separate just seams odd that the only time I see the warning about external emails is in the same emails that get disarmed and display that fraud attempt
Got 2 emails from dell 1 from the dell rep confirming the order no external message or fraud / disarmed... 1 from the automated system confirming the order that said disarmed and had the fraud warning and external warning in it basically the same email just diff origins
Here's a screenshot 2 emails nothing but a link and a subject in both one that says click here and a link to test.com another that says sex.com and a link to test.com triggering the fraud piece
Just noticed it didnt have the external warning but one from a diff site w the disarm tag did
Got 2 emails from dell 1 from the dell rep confirming the order no external message or fraud / disarmed... 1 from the automated system confirming the order that said disarmed and had the fraud warning and external warning in it basically the same email just diff origins
This is the intended behavior.
In the disarmed mail the display text of the link (here sex.com
) is interpreted by mailscanner as some kind of URI (as it is an fqdn) and as such is going to check if the text matches the link target.
For the second mail the Click here
display text is not some kind of an URI and as such will not check it. There is nothing it could use as a reference to say if it is misleading.
Some more examples:
These would not be flagged as the text is not some kind of URI
<a href="mailto:user@example.org">click here to get all your wishes fulfilled</a>
<a href="web.example.org">click here to get rich</a>
These would be flagged as they contain some kind of link/fqdn that doesn't match the link target
<a href="mailto:user@example.org">contact user@totalotherdomain.com</a>
<a href="mailto:user@example.org">contact user@totalotherdomain.com</a>
<a href="web.example.org">go to github.com</a>
<a href="https://web.example.org">go to github.com</a>
<a href="https://web.example.org">go to https://github.com</a>
These would not be flagged as the link target matches the text.
<a href="https://web.example.org">go to https://web.example.com</a>
<a href="https://web.example.org">go to https://example.com</a>
(subdomains can be ignored)
<a href="https://web.example.org">go to web.example.com</a>
<a href="mailto:user@example.org">send mail: user@example.org</a>
I understand the fraud warnings Im trying to understand the random External message and it appeared to be linked to the fraud warning but i guess its more when the email has an external image its trying to load thats getting flagged as disarmed then it adds the external email header
Ahh ok.
Seems like it comes from function SignExternalMessage
https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L4996
or
https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L5008
Which itself is called in DeliverModifiedBody
https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L5872
https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L6438-L6445 and https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L5460-L5467
Call that function. As with clean messages the $this->{bodymodified}
probably is always false the external warning message can only appear inside a mail that has something flagged by MailScanner.
@shawniverson Changing https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L6438-L6445
to
sub DeliverUninfected {
my $this = shift;
if ($this->{bodymodified} || MailScanner::Config::Value('externalwarning',$this) =~ /1/) {
# The body of this message has been modified, so reconstruct
# it from the MIME structure and deliver that.
#print STDERR "Body modified\n";
$this->DeliverModifiedBody('cleanheader');
might work. Or evaluate the externalwarning
earlier and set bodymodified
when it matches.
@Skywalker-11 thanks for the detailed analysis. I am working on this now.
I am going to move this logic earlier in the process. It needs to perform action on all messages, not just modified ones and set the bodymodified flag.
@Skywalker-11 @weazil Please test PR #415 and report back.
Appears to work as expected all external now being tagged not just the ones w external images
Need to double check my rules but atm it appears to be tagging everything
From: southern-air.com no From: mail.southern-air.com no FromOrTo: default yes
Return-Path: example@southern-air.com Received: from mail.southern-air.com (localhost [127.0.0.1]) by hermes.southern-air.com (8.14.7/8.14.7) with ESMTP id xAFCkJAC001687 for example2@southern-air.com; Fri, 15 Nov 2019 07:46:19 -0500 Message-ID: bcce7fde991293b714afaebe2610ed1c@mail.southern-air.com Date: Fri, 15 Nov 2019 07:46:19 -0500 Subject: Test From: example@southern-air.com To: example2@southern-air.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_=_swift_15738219795ebe8f5df9a423928f41e315758ce522=_" X-southernair-MailScanner-Information: Please contact the ISP for more information X-southernair-MailScanner-ID: xAFCkJAC001687 X-southernair-MailScanner: Found to be clean X-southernair-MailScanner-From: example@southern-air.com X-Spam-Flag: No
--_=_swift_15738219795ebe8f5df9a423928f41e315758ce522=_ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Warning: This message originated from outside the organization. Warning: Use caution when following links or opening attachments.
Test
Can you tell me why based on my rules its tagging every thing external and internal
See PR #419 . Let me know if that fixes it.
Quick test appears to have worked I sent an email locally and from my gmail and only gmail got tagged
@weazil Awesome, thanks!
Hi All, I'm facing a peculiar issue. Mails from gmail.com or any google/G-Suite hosted site are not triggering the external mail warning. its working for Most other sites. Can someone guide me in this regard. Thanks/DP
External message warning only appears to append to some messages that it disarms and adds the
MailScanner has detected a possible fraud attempt from .... claiming to be ....
I would expect all messages to receive the message if not from the domains listed