External message warning

[weazil]

External message warning only appears to append to some messages that it disarms and adds the

MailScanner has detected a possible fraud attempt from .... claiming to be ....

I would expect all messages to receive the message if not from the domains listed

[Skywalker-11]

Can you post an example of a mail source code where it the warning is missing?

[weazil]

I took out email addresses and phone # but thats just 1 I have several like i said it appears to be the only it injects the warning on is the one its disarming

`Return-Path: --- Received: from us-smtp-delivery-126.mimecast.com (us-smtp-delivery-126.mimecast.com [216.205.24.126]) by hermes.southern-air.com (8.14.7/8.14.7) with ESMTP id xACGCbX7008831 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK) for Tue, 12 Nov 2019 11:12:43 -0500 Received: from IDC-EXCHHT01.driveralliant.com (63.241.24.153 [63.241.24.153]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-221-8_eyPx7xO-WNyGEgZ6L3gQ-14; Tue, 12 Nov 2019 11:12:35 -0500 From: --- To: ---- Subject: Test Thread-Topic: Test Thread-Index: AdWZc+le9TpDtDlzTp+HiYICKCiC8Q== Date: Tue, 12 Nov 2019 16:11:59 +0000 Message-ID: ---- Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-exclaimer-md-config: d0d519bf-d9fd-4064-9e38-e794ce14b114 Content-ID: ---- MIME-Version: 1.0 X-MC-Unique: 8_eyPx7xO-WNyGEgZ6L3gQ-14 X-Mimecast-Spam-Score: 0 Content-Type: text/html; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable X-southernair-MailScanner-Information: Please contact the ISP for more information X-southernair-MailScanner-ID: xACGCbX7008831 X-southernair-MailScanner: Found to be clean X-southernair-MailScanner-From: --- X-Spam-Flag: No

Twst

Sent from my iPhone

---

Helpdesk Number: 
Helpdesk Email: ----

Service Portal:  to open new tickets, get ticket status and review FAQs.

=93Going beyond merely communicatin= g to =91connecting=92 with our clients=94

This email and its attachments are for the exclusive use of the intended re= cipients, and may contain proprietary information and trade secrets of Alli= ant Insurance Services, Inc. and its subsidiaries. This email may also cont= ain information that is confidential, or otherwise protected from disclosure by contract or law. Any unauthorize= d use, disclosure, or distribution of this email and its attachments is pro= hibited. If you are not the intended recipient, let us know by reply email = and then destroy all electronic and physical copies of this message and attachments. Nothing in this email= or its attachments is intended to be legal, financial, or tax advice, and = recipients are advised to consult with their appropriate advisors regarding= any legal, financial, or tax implications.

`

[shawniverson]

@weazil Flagging this as an unconfirmed bug and will look at it asap. I'll switch to confirmed once I check the logic. In the meantime can you post your phishing settings you currently have in use for me?

[weazil]

Find Phishing Fraud = yes Highlight Phishing Fraud = yes Highlight Hidden URLs = no Highlight Mailto Phishing = yes Also Find Numeric Phishing = %rules-dir%/numeric.phishing.rules numeric.phishing.rules From: 18.215.202.130 no From: ponos.southern-air.com no FromOrTo: default yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Modify Subject = yes Phishing Subject Text = {Fraud?}

But i've never seen a subject tagged as Fraud.. i've only ever seen Disarm and Spam

[Skywalker-11]

Just to make sure you mean the correct thing: MailScanner has detected a possible fraud attempt from is used if an target uri of a link in a mail does not match the text that is displayed for it eg <a href="mailto:user@example.com>something@otherdomain.com</a>. This is added inline in the middle of a mail where that flagged link is.

This is independent of the External Message Warning (configed via External Message Warning = %rules-dir%/external.message.rules ) which will flag as Warning: This message originated from outside the organization. (appended to end of mail) and flags mails not from/to a domain configured in that config file..

[weazil]

Yes I understand they are separate just seams odd that the only time I see the warning about external emails is in the same emails that get disarmed and display that fraud attempt

[weazil]

Got 2 emails from dell 1 from the dell rep confirming the order no external message or fraud / disarmed... 1 from the automated system confirming the order that said disarmed and had the fraud warning and external warning in it basically the same email just diff origins

Here's a screenshot 2 emails nothing but a link and a subject in both one that says click here and a link to test.com another that says sex.com and a link to test.com triggering the fraud piece

[weazil]

Just noticed it didnt have the external warning but one from a diff site w the disarm tag did

[Skywalker-11]

Got 2 emails from dell 1 from the dell rep confirming the order no external message or fraud / disarmed... 1 from the automated system confirming the order that said disarmed and had the fraud warning and external warning in it basically the same email just diff origins

This is the intended behavior. In the disarmed mail the display text of the link (here sex.com) is interpreted by mailscanner as some kind of URI (as it is an fqdn) and as such is going to check if the text matches the link target.

For the second mail the Click here display text is not some kind of an URI and as such will not check it. There is nothing it could use as a reference to say if it is misleading.

Some more examples: These would not be flagged as the text is not some kind of URI <a href="mailto:user@example.org">click here to get all your wishes fulfilled</a> <a href="web.example.org">click here to get rich</a>

These would be flagged as they contain some kind of link/fqdn that doesn't match the link target <a href="mailto:user@example.org">contact user@totalotherdomain.com</a> <a href="mailto:user@example.org">contact user@totalotherdomain.com</a> <a href="web.example.org">go to github.com</a> <a href="https://web.example.org">go to github.com</a> <a href="https://web.example.org">go to https://github.com</a>

These would not be flagged as the link target matches the text. <a href="https://web.example.org">go to https://web.example.com</a> <a href="https://web.example.org">go to https://example.com</a> (subdomains can be ignored) <a href="https://web.example.org">go to web.example.com</a> <a href="mailto:user@example.org">send mail: user@example.org</a>

[weazil]

I understand the fraud warnings Im trying to understand the random External message and it appeared to be linked to the fraud warning but i guess its more when the email has an external image its trying to load thats getting flagged as disarmed then it adds the external email header

[Skywalker-11]

Ahh ok. Seems like it comes from function SignExternalMessage https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L4996 or https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L5008

Which itself is called in DeliverModifiedBody https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L5872

https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L6438-L6445 and https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L5460-L5467

Call that function. As with clean messages the $this->{bodymodified} probably is always false the external warning message can only appear inside a mail that has something flagged by MailScanner.

@shawniverson Changing https://github.com/MailScanner/v5/blob/0a87daf349a638443edd9e3c80f7f33332f703d2/common/usr/share/MailScanner/perl/MailScanner/Message.pm#L6438-L6445

to

 sub DeliverUninfected { 
   my $this = shift; 
   if ($this->{bodymodified} || MailScanner::Config::Value('externalwarning',$this) =~ /1/) { 
     # The body of this message has been modified, so reconstruct 
     # it from the MIME structure and deliver that. 
     #print STDERR "Body modified\n"; 
     $this->DeliverModifiedBody('cleanheader'); 

might work. Or evaluate the externalwarning earlier and set bodymodified when it matches.

[shawniverson]

@Skywalker-11 thanks for the detailed analysis. I am working on this now.

[shawniverson]

I am going to move this logic earlier in the process. It needs to perform action on all messages, not just modified ones and set the bodymodified flag.

[shawniverson]

@Skywalker-11 @weazil Please test PR #415 and report back.

[weazil]

Appears to work as expected all external now being tagged not just the ones w external images

[weazil]

Need to double check my rules but atm it appears to be tagging everything

[weazil]

From: southern-air.com no From: mail.southern-air.com no FromOrTo: default yes

Return-Path: example@southern-air.com Received: from mail.southern-air.com (localhost [127.0.0.1]) by hermes.southern-air.com (8.14.7/8.14.7) with ESMTP id xAFCkJAC001687 for example2@southern-air.com; Fri, 15 Nov 2019 07:46:19 -0500 Message-ID: bcce7fde991293b714afaebe2610ed1c@mail.southern-air.com Date: Fri, 15 Nov 2019 07:46:19 -0500 Subject: Test From: example@southern-air.com To: example2@southern-air.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_=_swift_15738219795ebe8f5df9a423928f41e315758ce522=_" X-southernair-MailScanner-Information: Please contact the ISP for more information X-southernair-MailScanner-ID: xAFCkJAC001687 X-southernair-MailScanner: Found to be clean X-southernair-MailScanner-From: example@southern-air.com X-Spam-Flag: No

--_=_swift_15738219795ebe8f5df9a423928f41e315758ce522=_ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Warning: This message originated from outside the organization. Warning: Use caution when following links or opening attachments.

Test

[weazil]

Can you tell me why based on my rules its tagging every thing external and internal

[shawniverson]

See PR #419 . Let me know if that fixes it.

[weazil]

Quick test appears to have worked I sent an email locally and from my gmail and only gmail got tagged

[shawniverson]

@weazil Awesome, thanks!

[dpmalyala]

Hi All, I'm facing a peculiar issue. Mails from gmail.com or any google/G-Suite hosted site are not triggering the external mail warning. its working for Most other sites. Can someone guide me in this regard. Thanks/DP