Re: Custom rule problem

Tue, 31 Jan 2017 12:23:23 -0800 

Sorry for the trouble, everyone… I had been forwarding the spam through my 
personal IMAP account (to test my rule) which was apparently blocking it. I 
forwarded it using my gmail account and my new rule fired. I feel like an idiot.

Steve



On 1/31/17, 2:53 PM, "John Hardin" <jhar...@impsec.org> wrote:

    On Tue, 31 Jan 2017, Zinski, Steve wrote:
    
    > Here’s the “view source” of the message in question.
    >
    > http://pastebin.com/AnwkAf9t
    >
    > Again, it’s line 88 that I’m trying to match.
    
    ...let's try this again...
    
    A uri rule hits that here:
    
    Jan 31 09:21:07.423 [21842] dbg: rules: ran uri rule __ALL_URI ======> got 
hit: 
"http://trc.spam_domain_redacted.com/redirect.php?email=redac...@uronline.net";
    
    It also hits an existing rule:
    
    Jan 31 09:21:07.525 [21842] dbg: rules: ran rawbody rule __BUGGED_IMG 
======> got hit: "<img 
src="http://trc.spam_domain_redacted.com/redirect.php?email=re";
    
    
    > On 1/31/17, 11:36 AM, "John Hardin" <jhar...@impsec.org> wrote:
    >
    >    On Tue, 31 Jan 2017, Zinski, Steve wrote:
    >
    >    > I’m trying to write a custom rule to block a certain type of spam. 
When I view the message source, the very last lines of the spam look like this:
    >    >
    >    > </table>
    >    > <DEFANGED_IMG 
src="http://trc.spammersdomain.com/redirect.php?email=redac...@richmond.edu";>
    >    > </body>
    >    > </html>
    >    >
    >    > Every single rule that I’ve written fails to detect that 
redirect.php URI. I’ve even tried a rule that simply reads:
    >    >
    >    > Full          my_rule                 /redirect/is
    >    > Score      my_rule                 10.0
    >    >
    >    > No match. I’ve tried full, rawbody, uri, and body, all to no avail. 
I’ve even shortened the search string to “redi” (it’s a unique word) and still 
no match. I’ve been writing rules for many years and this is the first time 
I’ve seen this behavior. Any ideas?
    >
    >    If you have a rule dev environment (vs. testing rules in your live
    >    install) I've found something like this to be really useful:
    >
    >           uri     __ALL_URI   /.*/
    >           tflags  __ALL_URI   multiple
    >
    >    Then all the detected URIs appear in the rule hits debug output.
    >
    >    Post the full email on Pastebin or similar, we can't meaningfully 
comment
    >    on what you provided beyond "uri *should* work for that".
    
    -- 
      John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
      jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
      key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
    -----------------------------------------------------------------------
      Tomorrow: the 14th anniversary of the loss of STS-107 Columbia

Reply via email to