To score/block on an empty subject, put
^$
in to 'bombSubjectRe'
To score/block on a body that contains absolute nothing else than URL('s),
put
<<<^(?:(?:[\s\r\n]*(?:<[^>]*>)*)*(?:ht|f)tps?\:\/\/(?:\w[\w\.\-]*\.\w\w+|\[[\d\.]*\.\d+\])(?:[\s\r\n]*(?:<[^>]*>)*)*|(?:[\s\r\n]*(?:<[^>]*>)*[\s\r\n]*<.+?(?:ht|f)tps?\:\/\/(?:\w[\w\.\-]*\.\w\w+|\[[\d\.]*\.\d+\]).*?>)+.*?(?:[\s\r\n]*(?:<[^>]*>)+)+)+$>>>
in to 'bombDataRe'
This regex will match on text-only, html-only and alternative text+html
bodys . Each of the following examples will be detected in any combination
and count
http://www.google.de (URL as simple text)
<a href=http://www.google.de/><font size=2 face="sans-serif">click
here</font></a><font size=2 face="sans-serif"><br> (link on a text)
<a href=http://www.google.de/><font size=2 face="sans-serif">
http://www.google.de</font></a><font size=2 face="sans-serif"><br> (link
on an URL)
as long there is nothing else than linked text, HTML-Tags, spaces and
linefeeds in the body.
Because assp ignores all attachments and inline files for all bomb checks,
the following will also match:
<a href=http://www.google.de/><img height=12 width=12 src="' . wikiinfo .
'" alt="Network Flow" /></a> (link on an image)
All GPB users will get this regex at the next connection to the GPB
server.
Thomas
Von: "Gary Sunderland" <[email protected]>
An: "'ASSP development mailing list'"
<[email protected]>
Datum: 19.01.2011 23:54
Betreff: Re: [Assp-test] Block URL only emails with special
message?
I have this issue as well.. Whitelisted Clients with yahoo or aol accounts
that get comprimised and randomly send the single URL email or similar.
Most
are sent to 7-12 email accounts all listed in the to: field, most
addresses
seem real, but sometimes you can tell they are random generated.
Yesterday the subject was: Someone secretly admires you and they sent an
eCard to you.
Content-Type: text/plain; charset=us-ascii
http://1po.it/2j
Received: from [_._._._] by web43505.mail.sp1.yahoo.com via HTTP; Mon, 17
Jan 2011 12:02:06 PST
X-Mailer: YahooMailRC/555 YahooMailWebService/0.8.107.285259
However is scored at 50 and listed as probable
X-Assp-Score: 50 (Bayesian Probability: 1.0000)
Last week no subject:
http://vusadacu.110mb.com/tylequti.html
Choos eYourT ime
Received: from [_._._._] by web36903.mail.mud.yahoo.com via HTTP; Sat, 15
Jan 2011 22:15:55 PST
X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.107.285259
Again scored at 50
>>The problem with these hacked accounts is that they are really coming
>>from the yahoo and aol servers.
>Hacked accounts? That are normal accounts from people with bad
intentions.
How comes, that they are whitelisted in >your installation?
>I never had one whitelisted in my servers.
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
