On Tue, 20 Jun 2017, Alex wrote:
Hi,
On Tue, Jun 20, 2017 at 1:40 PM, John Hardin <jhar...@impsec.org> wrote:
On Tue, 20 Jun 2017, Alex wrote:
Hi,
We've been receiving empty messages (or what appear to be empty body
messages) delivered to undisclosed-recips and I wanted to figure out
how to block them.
This one wasn't blocked at the time it was received, but somehow is now.
https://pastebin.com/inS6qiiG
I noticed despite there being no actual URI that I can see in the
body, it still hits __BODY_URI_ONLY. Even if I remove the div tags it
still hits. Just what does SA consider to be a URI?
meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI
&& !__SMIME_MESSAGE
uri __HAS_ANY_URI /./
Running the message through debug doesn't show me what it considered
to be the URI in this message.
Add this to your test environment:
uri __ALL_URI /.+/
dbg: rules: ran uri rule __DOS_HAS_ANY_URI ======> got hit: "g"
ran uri rule __ALL_URI ======> got hit: "gmail.com"
Is it from the From or Message-ID?
It shouldn't be from either.
Is your local test message *exactly* what you uploaded to pastebin?
Because that does not hit URIs here, at all.
If you edited your local test message, check to verify you didn't
accidentally add a blank line in the middle of the message headers that
could potentially have pushed message header(s) down into the body. Apart
from that, I have no ideas.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
82 days since the first commercial re-flight of an orbital booster (SpaceX)
