You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jean-Paul Natola <jn...@familycareintl.org> on 2008/08/22 15:59:04 UTC
e greeting exe link
is there a rule out there to stop messages that claim to be an egreeting
with an exe in the link?
here's the properties of the link
http://ns1.shinwa-com.co.jp/~denso/card.exe
thx
Jean-Paul
RE: e greeting exe link
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2008-08-27 at 18:34 -0700, John Hardin wrote:
> On Thu, 28 Aug 2008, Michael Hutchinson wrote:
>
> > I would be hoping to match the same sort of URL:
> > http://ns1.shinwa-com.co.jp/~denso/card.exe
> >
> > But only match it from the last trailing / character. In other words, if
> > the message carries a link to "card.exe" at any address, it will be
> > marked up.
>
> Why do you care about the part before the period? You don't like card.exe
> but you trust card1.exe?
Exactly my point! (see that other thread)
> > My thoughts were that all I would need is a rule like:
> > uri MY_EXE_URI /card.exe/i
> >
> > Or do I need to actually match all of the stuff before that, using a
> > wildcard for example?
>
> Look back a couple of messages, a good short version was posted.
That would be my post. Thanks! :)
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: e greeting exe link
Posted by John Hardin <jh...@impsec.org>.
On Thu, 28 Aug 2008, Michael Hutchinson wrote:
>> Why do you care about the part before the period? You don't like
>> card.exe but you trust card1.exe?
>
> Good point, but I wouldn't like to block all .exe's. Our local users
> wont bother zipping stuff and will complain. I was going to be happy
> with just adding some quick firing rules manually for exe's that I
> specify.
This rule won't hit unless they are mailing around URIs - URI rules do not
check attachment names.
And, you probably do not want to be scanning purely internal emails in the
first place...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
Today: Exercise Your Rights day
RE: e greeting exe link
Posted by Michael Hutchinson <mh...@manux.co.nz>.
> -----Original Message-----
> From: John Hardin [mailto:jhardin@impsec.org]
> Sent: 28 August 2008 1:35 p.m.
> To: Michael Hutchinson
> Cc: users@spamassassin.apache.org
> Subject: RE: e greeting exe link
>
> On Thu, 28 Aug 2008, Michael Hutchinson wrote:
>
> > I would be hoping to match the same sort of URL:
> > http://ns1.shinwa-com.co.jp/~denso/card.exe
> >
> > But only match it from the last trailing / character. In other
words, if
> > the message carries a link to "card.exe" at any address, it will be
> > marked up.
>
> Why do you care about the part before the period? You don't like
card.exe
> but you trust card1.exe?
Good point, but I wouldn't like to block all .exe's. Our local users
wont bother zipping stuff and will complain. I was going to be happy
with just adding some quick firing rules manually for exe's that I
specify.
I guess if that doesn't make sense, lets not bother too much about it :)
> > My thoughts were that all I would need is a rule like:
> > uri MY_EXE_URI /card.exe/i
> >
> > Or do I need to actually match all of the stuff before that, using a
> > wildcard for example?
>
> Look back a couple of messages, a good short version was posted.
Nice - thanks for your reply, John.
Cheers,
Michael Hutchinson
Manux Solutions Limited.
RE: e greeting exe link
Posted by John Hardin <jh...@impsec.org>.
On Thu, 28 Aug 2008, Michael Hutchinson wrote:
> I would be hoping to match the same sort of URL:
> http://ns1.shinwa-com.co.jp/~denso/card.exe
>
> But only match it from the last trailing / character. In other words, if
> the message carries a link to "card.exe" at any address, it will be
> marked up.
Why do you care about the part before the period? You don't like card.exe
but you trust card1.exe?
> My thoughts were that all I would need is a rule like:
> uri MY_EXE_URI /card.exe/i
>
> Or do I need to actually match all of the stuff before that, using a
> wildcard for example?
Look back a couple of messages, a good short version was posted.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Insofar as the police deter by their presence, they are very, very
good. Criminals take great pains not to commit a crime in front of
them. -- Jeffrey Snyder
-----------------------------------------------------------------------
Tomorrow: Exercise Your Rights day
Re: e greeting exe link [SOLVED]
Posted by Matt Kettler <mk...@verizon.net>.
Michael Hutchinson wrote:
>
> Nice, that's going to help me tidy up some of my other custom rules.
> Once again, Thank-you Matt for the clarity on this issue. <big grins> -
> happy SA user.
>
No problem.
One final suggestion. Take some time to read:
http://wiki.apache.org/spamassassin/WritingRules
This covers many of these topics.
RE: e greeting exe link [SOLVED]
Posted by Michael Hutchinson <mh...@manux.co.nz>.
> -----Original Message-----
> From: Matt Kettler [mailto:mkettler_sa@verizon.net]
> Sent: 28 August 2008 1:49 p.m.
> To: Michael Hutchinson
> Cc: users@spamassassin.apache.org
> Subject: Re: e greeting exe link
>
> Michael Hutchinson wrote:
> >
> > But only match it from the last trailing / character. In other
words, if
> > the message carries a link to "card.exe" at any address, it will be
> > marked up.
> >
> > My thoughts were that all I would need is a rule like:
> > uri MY_EXE_URI /card.exe/i
> >
> Caution: . is a wildcard, so the above will match "card exe"
"card1exe"
> etc.
>
> Add a \ to force it to be a literal period character.
>
> uri MY_EXE_URI /card\.exe/i
>
> That still runs some risk of matching things you don't want, like
parts
> of the domain, etc.
>
> I might tighten it up a bit more by adding the / in. trying to match
> "/card.exe" instead of just "card.exe"
> Again, we need a \ or the / will be interpreted as the end of the
> expression, so we add \/
>
> uri MY_EXE_URI /\/card\.exe/i
That's got it sorted - precisely what I'm after.. Thank-you Matt for
clearing this up! I'm going to employ some new rules straight away :)
> > Or do I need to actually match all of the stuff before that, using a
> > wildcard for example?
> >
> No, you don't. Regexes will match a substring. Adding .* to the
> beginning or end of a regex is a superfluous waste, and has no affect
> whatsoever on the strings matched.
>
> ( note: .* is regex syntax for 0 or more wildcards, equivalent to a
> command-line *)
Yay, I thought the complicating matching of http or ftp links in the
original rule were unnecessary.
Nice, that's going to help me tidy up some of my other custom rules.
Once again, Thank-you Matt for the clarity on this issue. <big grins> -
happy SA user.
Cheers,
Michael Hutchinson
Manux Solutions.
Re: e greeting exe link
Posted by Matt Kettler <mk...@verizon.net>.
Michael Hutchinson wrote:
>
> But only match it from the last trailing / character. In other words, if
> the message carries a link to "card.exe" at any address, it will be
> marked up.
>
> My thoughts were that all I would need is a rule like:
> uri MY_EXE_URI /card.exe/i
>
Caution: . is a wildcard, so the above will match "card exe" "card1exe" etc.
Add a \ to force it to be a literal period character.
uri MY_EXE_URI /card\.exe/i
That still runs some risk of matching things you don't want, like parts
of the domain, etc.
I might tighten it up a bit more by adding the / in. trying to match
"/card.exe" instead of just "card.exe"
Again, we need a \ or the / will be interpreted as the end of the
expression, so we add \/
uri MY_EXE_URI /\/card\.exe/i
> Or do I need to actually match all of the stuff before that, using a
> wildcard for example?
>
No, you don't. Regexes will match a substring. Adding .* to the
beginning or end of a regex is a superfluous waste, and has no affect
whatsoever on the strings matched.
( note: .* is regex syntax for 0 or more wildcards, equivalent to a
command-line *)
> Thanks in advance for any light shed upon the matter,
>
>
RE: e greeting exe link
Posted by Michael Hutchinson <mh...@manux.co.nz>.
> -----Original Message-----
> From: Randal, Phil [mailto:prandal@herefordshire.gov.uk]
> Sent: 23 August 2008 2:05 a.m.
> To: Jean-Paul Natola; users@spamassassin.apache.org
> Subject: RE: e greeting exe link
>
> uri MY_EXECUTABLE_URI
>
/^(?:https?|ftp):\/\/[^\s?]{1,80}\/[^\s?]{1,80}\.(?:exe|scr|dll|pif|vbs|
> wsh|cmd|bat)$/i
> describe MY_EXECUTABLE_URI Links to an executable file
> score MY_EXECUTABLE_URI 3.00
>
> Mind the linewrap.
Hello Everyone,
Does anyone have a rule that's not such a complex regex? I couldn't get
this one to expand properly with the Regex Expander over at SARE
(http://www.rulesemporium.com/cgi-bin/expand_regex.cgi) - even
downloading the Perl script and running it locally produces unexpected
results from this rule.
I would be hoping to match the same sort of URL:
http://ns1.shinwa-com.co.jp/~denso/card.exe
But only match it from the last trailing / character. In other words, if
the message carries a link to "card.exe" at any address, it will be
marked up.
My thoughts were that all I would need is a rule like:
uri MY_EXE_URI /card.exe/i
Or do I need to actually match all of the stuff before that, using a
wildcard for example?
Thanks in advance for any light shed upon the matter,
Cheers,
Michael Hutchinson
Manux Solutions
RE: e greeting exe link
Posted by "Randal, Phil" <pr...@herefordshire.gov.uk>.
uri MY_EXECUTABLE_URI
/^(?:https?|ftp):\/\/[^\s?]{1,80}\/[^\s?]{1,80}\.(?:exe|scr|dll|pif|vbs|
wsh|cmd|bat)$/i
describe MY_EXECUTABLE_URI Links to an executable file
score MY_EXECUTABLE_URI 3.00
Mind the linewrap.
Phil
--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK
-----Original Message-----
From: Jean-Paul Natola [mailto:jnatola@familycareintl.org]
Sent: 22 August 2008 14:59
To: users@spamassassin.apache.org
Subject: e greeting exe link
is there a rule out there to stop messages that claim to be an
egreeting with an exe in the link?
here's the properties of the link
http://ns1.shinwa-com.co.jp/~denso/card.exe
thx
Jean-Paul