External message warning

[weazil]

External message warning only appears to append to some messages that it disarms and adds the

MailScanner has detected a possible fraud attempt from .... claiming to be ....

I would expect all messages to receive the message if not from the domains listed

[Skywalker-11]

Can you post an example of a mail source code where it the warning is missing?

[weazil]

I took out email addresses and phone # but thats just 1 I have several like i said it appears to be the only it injects the warning on is the one its disarming

`Return-Path: ---
Received: from us-smtp-delivery-126.mimecast.com (us-smtp-delivery-126.mimecast.com [216.205.24.126])
by hermes.southern-air.com (8.14.7/8.14.7) with ESMTP id xACGCbX7008831
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK)
for Tue, 12 Nov 2019 11:12:43 -0500
Received: from IDC-EXCHHT01.driveralliant.com (63.241.24.153
[63.241.24.153]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-221-8_eyPx7xO-WNyGEgZ6L3gQ-14; Tue, 12 Nov 2019 11:12:35 -0500
From: ---
To: ----
Subject: Test
Thread-Topic: Test
Thread-Index: AdWZc+le9TpDtDlzTp+HiYICKCiC8Q==
Date: Tue, 12 Nov 2019 16:11:59 +0000
Message-ID: ----
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-exclaimer-md-config: d0d519bf-d9fd-4064-9e38-e794ce14b114
Content-ID: ----
MIME-Version: 1.0
X-MC-Unique: 8_eyPx7xO-WNyGEgZ6L3gQ-14
X-Mimecast-Spam-Score: 0
Content-Type: text/html; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
X-southernair-MailScanner-Information: Please contact the ISP for more information
X-southernair-MailScanner-ID: xACGCbX7008831
X-southernair-MailScanner: Found to be clean
X-southernair-MailScanner-From: ---
X-Spam-Flag: No

<style type=3D"text/css">P.ImprintUniqueID { =09MARGIN: 0cm 0cm 0pt } LI.ImprintUniqueID { =09MARGIN: 0cm 0cm 0pt } DIV.ImprintUniqueID { =09MARGIN: 0cm 0cm 0pt } TABLE.ImprintUniqueIDTable { =09MARGIN: 0cm 0cm 0pt } DIV.Section1 { =09page: Section1 } </style>

Twst

Sent from my iPhone

---

Helpdesk Number: 
Helpdesk Email: ----

Service Portal:  to open new tickets, get ticket status and review FAQs.

=93Going beyond merely communicatin= g to =91connecting=92 with our clients=94

This email and its attachments are for the exclusive use of the intended re= cipients, and may contain proprietary information and trade secrets of Alli= ant Insurance Services, Inc. and its subsidiaries. This email may also cont= ain information that is confidential, or otherwise protected from disclosure by contract or law. Any unauthorize= d use, disclosure, or distribution of this email and its attachments is pro= hibited. If you are not the intended recipient, let us know by reply email = and then destroy all electronic and physical copies of this message and attachments. Nothing in this email= or its attachments is intended to be legal, financial, or tax advice, and = recipients are advised to consult with their appropriate advisors regarding= any legal, financial, or tax implications.

`

[shawniverson]

@weazil Flagging this as an unconfirmed bug and will look at it asap. I'll switch to confirmed once I check the logic. In the meantime can you post your phishing settings you currently have in use for me?

[weazil]

Find Phishing Fraud = yes
Highlight Phishing Fraud = yes
Highlight Hidden URLs = no
Highlight Mailto Phishing = yes
Also Find Numeric Phishing = %rules-dir%/numeric.phishing.rules
numeric.phishing.rules
From: 18.215.202.130 no
From: ponos.southern-air.com no
FromOrTo: default yes
Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf
Phishing Modify Subject = yes
Phishing Subject Text = {Fraud?}

But i've never seen a subject tagged as Fraud.. i've only ever seen Disarm and Spam

[Skywalker-11]

Just to make sure you mean the correct thing:
MailScanner has detected a possible fraud attempt from is used if an target uri of a link in a mail does not match the text that is displayed for it eg
<a href="mailto:user@example.com>something@otherdomain.com</a>. This is added inline in the middle of a mail where that flagged link is.

This is independent of the External Message Warning (configed via External Message Warning = %rules-dir%/external.message.rules ) which will flag as Warning: This message originated from outside the organization. (appended to end of mail) and flags mails not from/to a domain configured in that config file..

[weazil]

Yes I understand they are separate just seams odd that the only time I see the warning about external emails is in the same emails that get disarmed and display that fraud attempt

[weazil]

Got 2 emails from dell 1 from the dell rep confirming the order no external message or fraud / disarmed... 1 from the automated system confirming the order that said disarmed and had the fraud warning and external warning in it basically the same email just diff origins

Here's a screenshot 2 emails nothing but a link and a subject in both one that says click here and a link to test.com another that says sex.com and a link to test.com triggering the fraud piece

[weazil]

Just noticed it didnt have the external warning but one from a diff site w the disarm tag did

[Skywalker-11]

Got 2 emails from dell 1 from the dell rep confirming the order no external message or fraud / disarmed... 1 from the automated system confirming the order that said disarmed and had the fraud warning and external warning in it basically the same email just diff origins

This is the intended behavior.
In the disarmed mail the display text of the link (here sex.com) is interpreted by mailscanner as some kind of URI (as it is an fqdn) and as such is going to check if the text matches the link target.

For the second mail the Click here display text is not some kind of an URI and as such will not check it. There is nothing it could use as a reference to say if it is misleading.

Some more examples:
These would not be flagged as the text is not some kind of URI
<a href="mailto:user@example.org">click here to get all your wishes fulfilled</a>
<a href="web.example.org">click here to get rich</a>

These would be flagged as they contain some kind of link/fqdn that doesn't match the link target
<a href="mailto:user@example.org">contact user@totalotherdomain.com</a>
<a href="mailto:user@example.org">contact user@totalotherdomain.com</a>
<a href="web.example.org">go to github.com</a>
<a href="https://web.example.org">go to github.com</a>
<a href="https://web.example.org">go to https://github.com</a>

These would not be flagged as the link target matches the text.
<a href="https://web.example.org">go to https://web.example.com</a>
<a href="https://web.example.org">go to https://example.com</a> (subdomains can be ignored)
<a href="https://web.example.org">go to web.example.com</a>
<a href="mailto:user@example.org">send mail: user@example.org</a>

[weazil]

I understand the fraud warnings Im trying to understand the random External message and it appeared to be linked to the fraud warning but i guess its more when the email has an external image its trying to load thats getting flagged as disarmed then it adds the external email header

[Skywalker-11]

Ahh ok.
Seems like it comes from function SignExternalMessage

v5/common/usr/share/MailScanner/perl/MailScanner/Message.pm

Line 4996 in 0a87daf

$warning = $this->ReadExternalWarning('inlineexternalhtml');

or

v5/common/usr/share/MailScanner/perl/MailScanner/Message.pm

Line 5008 in 0a87daf

$warning = $this->ReadExternalWarning('inlineexternaltext');

Which itself is called in DeliverModifiedBody

v5/common/usr/share/MailScanner/perl/MailScanner/Message.pm

Line 5872 in 0a87daf

$this->SignExternalMessage($this->{entity});

v5/common/usr/share/MailScanner/perl/MailScanner/Message.pm

Lines 6438 to 6445 in 0a87daf

	sub DeliverCleaned {
	my $this = shift;
	# The body of this message has been modified, so reconstruct
	# it from the MIME structure and deliver that.
	#print STDERR "Delivering cleaned up message " . $this->{id} . "\n";
	$this->DeliverModifiedBody('dirtyheader');
	}

and

v5/common/usr/share/MailScanner/perl/MailScanner/Message.pm

Lines 5460 to 5467 in 0a87daf

	sub DeliverUninfected {
	my $this = shift;
	if ($this->{bodymodified}) {
	# The body of this message has been modified, so reconstruct
	# it from the MIME structure and deliver that.
	#print STDERR "Body modified\n";
	$this->DeliverModifiedBody('cleanheader');
	} else {

Call that function. As with clean messages the $this->{bodymodified} probably is always false the external warning message can only appear inside a mail that has something flagged by MailScanner.

@shawniverson Changing

v5/common/usr/share/MailScanner/perl/MailScanner/Message.pm

Lines 6438 to 6445 in 0a87daf

	sub DeliverCleaned {
	my $this = shift;
	# The body of this message has been modified, so reconstruct
	# it from the MIME structure and deliver that.
	#print STDERR "Delivering cleaned up message " . $this->{id} . "\n";
	$this->DeliverModifiedBody('dirtyheader');
	}

to

 sub DeliverUninfected { 
   my $this = shift; 
   if ($this->{bodymodified} || MailScanner::Config::Value('externalwarning',$this) =~ /1/) { 
     # The body of this message has been modified, so reconstruct 
     # it from the MIME structure and deliver that. 
     #print STDERR "Body modified\n"; 
     $this->DeliverModifiedBody('cleanheader'); 

might work. Or evaluate the externalwarning earlier and set bodymodified when it matches.

[shawniverson]

@Skywalker-11 thanks for the detailed analysis. I am working on this now.

[shawniverson]

I am going to move this logic earlier in the process. It needs to perform action on all messages, not just modified ones and set the bodymodified flag.

[shawniverson]

@Skywalker-11 @weazil Please test PR #415 and report back.

[weazil]

Appears to work as expected all external now being tagged not just the ones w external images

[weazil]

Need to double check my rules but atm it appears to be tagging everything

[weazil]

From: southern-air.com no
From: mail.southern-air.com no
FromOrTo: default yes

Return-Path: example@southern-air.com
Received: from mail.southern-air.com (localhost [127.0.0.1])
by hermes.southern-air.com (8.14.7/8.14.7) with ESMTP id xAFCkJAC001687
for example2@southern-air.com; Fri, 15 Nov 2019 07:46:19 -0500
Message-ID: bcce7fde991293b714afaebe2610ed1c@mail.southern-air.com
Date: Fri, 15 Nov 2019 07:46:19 -0500
Subject: Test
From: example@southern-air.com
To: example2@southern-air.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=swift_1573821979_5ebe8f5df9a423928f41e315758ce522="
X-southernair-MailScanner-Information: Please contact the ISP for more information
X-southernair-MailScanner-ID: xAFCkJAC001687
X-southernair-MailScanner: Found to be clean
X-southernair-MailScanner-From: example@southern-air.com
X-Spam-Flag: No

--=swift_1573821979_5ebe8f5df9a423928f41e315758ce522=
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Warning: This message originated from outside the organization.
Warning: Use caution when following links or opening attachments.

Test

[weazil]

Can you tell me why based on my rules its tagging every thing external and internal

[shawniverson]

See PR #419 . Let me know if that fixes it.

[weazil]

Quick test appears to have worked I sent an email locally and from my gmail and only gmail got tagged

[shawniverson]

@weazil Awesome, thanks!

[dpmalyala]

Hi All,
I'm facing a peculiar issue. Mails from gmail.com or any google/G-Suite hosted site are not triggering the external mail warning. its working for Most other sites.
Can someone guide me in this regard.
Thanks/DP