Re: [sa] Re: Bogus mails from hijacked accounts
On Fri, 2010-03-12 at 13:19 -0500, Charles Gregory wrote: > > describe FORGED_YAHOO Yahoo with non-Yahoo Reply-to address > > header __FORGED_YH1 From =~ /\...@yahoo\.com/i > > header __FORGED_YH2 Reply-to =~ /\...@yahoo\.com/i > > meta FORGED_YAHOO (__FORGED_YH1 && !__FORGED_YH2) > > The problem with this is that the !__FORGED_YH2 matches > when there is *NO* Reply-To header at all! > > You need something like this: > > header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i > meta FORGED_YAHOO (__FORGED_YH1 && __FORGED_YH2) Creative... However, a better and likely more comprehensible solution would be, to add an if-unset constraint to the previous rule-set. :) Adding [if-unset: @yahoo.com] at the end of the YH2 rule will prevent the match on a missing Reply-To header, by faking one in its absence. Of course, there's also always the solution of adding another sub-rule to the meta that tests a header for existence. header __HAS_REPLY_TO exists:Reply-To But that's just plain boring rules, no funky REs there. Sorry. ;) guenther -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [sa] Re: Bogus mails from hijacked accounts
On Fri, 2010-03-12 at 12:52 -0600, Dennis B. Hopp wrote: > > > The problem with this is that the !__FORGED_YH2 matches > > when there is *NO* Reply-To header at all! > > > > You need something like this: > > > > header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i > > meta FORGED_YAHOO (__FORGED_YH1 && __FORGED_YH2) > > > > (remove the negation from the meta) > > This directly tests for an existing Reply-To specifically to a domain > > that does not begin with 'yaho'. > > Wouldn't that meta rule trigger when the reply-to contained 'yaho'? I > want to trigger when the from contains yahoo.com and the reply-to does > not. Nevermind..the '^' inside brackets negates..I get it now..
Re: [sa] Re: Bogus mails from hijacked accounts
> The problem with this is that the !__FORGED_YH2 matches > when there is *NO* Reply-To header at all! > > You need something like this: > > header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i > meta FORGED_YAHOO (__FORGED_YH1 && __FORGED_YH2) > > (remove the negation from the meta) > This directly tests for an existing Reply-To specifically to a domain > that does not begin with 'yaho'. Wouldn't that meta rule trigger when the reply-to contained 'yaho'? I want to trigger when the from contains yahoo.com and the reply-to does not. > > However, keep in mind that the headers for *this* mailing list would > trigger your rule. So you will also need to meta this with a rule that > tests for yahoo mail server being the sending SMTP client > Good point. I didn't think about that.. --Dennis
Re: [sa] Re: Bogus mails from hijacked accounts
On Fri, 12 Mar 2010, Dennis B. Hopp wrote: describe FORGED_YAHOO Yahoo with non-Yahoo Reply-to address header __FORGED_YH1 From =~ /\...@yahoo\.com/i header __FORGED_YH2 Reply-to =~ /\...@yahoo\.com/i meta FORGED_YAHOO (__FORGED_YH1 && !__FORGED_YH2) The problem with this is that the !__FORGED_YH2 matches when there is *NO* Reply-To header at all! You need something like this: header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i meta FORGED_YAHOO (__FORGED_YH1 && __FORGED_YH2) (remove the negation from the meta) This directly tests for an existing Reply-To specifically to a domain that does not begin with 'yaho'. However, keep in mind that the headers for *this* mailing list would trigger your rule. So you will also need to meta this with a rule that tests for yahoo mail server being the sending SMTP client Gets tricky, doesn't it? - C