RE: Fishing
Loren Wilton wrote: > > Correction! That should be: > > > > /htt(p|ps):\/\/.*?\/.*\.com$/i > > > > and slightly more efficient (doesn't capture backreference): > > > > /htt(?:p|ps):\/\/.*?\/.*\.com$/i > > Or maybe more simply and readably: > > m'https?://.*/.*\.com$'i > > But the .* things really should stop on something reasonable like > > or \s or the like. Otherwise you will get hits on > > http://my/furball.org which is a dot.com Or maybe just disallow whitespace: m'https?://\S*/\S*\.com$'i -- Bowie
Re: Fishing
On 2006-09-13, Fábio Gomes <[EMAIL PROTECTED]> wrote: > I didn't mean removing EXE attachments, but blocking/high scoring messages > with links to executables in its body. > > Is it possible? I would think it would be a little tricky, as the filter would have to follow the link to determine if it is in fact an executable vs just text. You could simply filter such messages to a quarantine area, and/or configure your mail client to not run executables by default, if it isn't already. -- John ([EMAIL PROTECTED])
Re: Fishing
Em Quarta 13 Setembro 2006 18:00, [EMAIL PROTECTED] escreveu: > >> Bill Randle wrote: > >> > Amavisd-new will also drop attachments with a configurable list > >> > of file extentions, but the question refered to links to exe's, > >> > not actual exe attachments. > >> > >> Good point -- everyone's primed to think of attachments, it seems. > >> > >> Here's a stab at it: set up a URI rule. > >> > >> uri EXECUTABLE_LINK/\.(?:exe|scr)$/i > >> describe EXECUTABLE_LINKLinks to an executable file > >> score EXECUTABLE_LINK10 > >> > >> Just a starting place, mind you -- you may want to make it more or less > >> specific. And there may still be the occasional site running a binary > >> CGI on Windows, such that the server will execute the EXE and output > >> HTML, not offer the EXE for download. > > A .scr probably would not be used as a cgi... > > the other way round - it is very easy to create a php that offers an exe > for download So jut scoring direct .exe links might cause the bad guys > to produce "better" download links > I'm receiving lots of spams with bare links these days. Links to downloads using php are more rare. I don't mind if I'm going to block some cgi's (althought that could be a problem in the future), but right now I need to stop those nasty fishings. I appretiate all the help I'm receiving. I find SA list very responsive. Thank you all.
Re: Fishing
Correction! That should be: /htt(p|ps):\/\/.*?\/.*\.com$/i and slightly more efficient (doesn't capture backreference): /htt(?:p|ps):\/\/.*?\/.*\.com$/i Or maybe more simply and readably: m'https?://.*/.*\.com$'i But the .* things really should stop on something reasonable like > or \s or the like. Otherwise you will get hits on http://my/furball.org which is a dot.com Loren
Re: Fishing
On Wed, September 13, 2006 20:48, Fábio Gomes wrote: > I didn't mean removing EXE attachments, but blocking/high scoring messages > with links to executables in its body. > > Is it possible? perldoc Mail::SpamAssassin::Plugin::AntiVirus >> Or - if you are using procmail: >> #Delete all messages with exe attachments >> >> :0 >> * ^content-type: application/octet-stream >> /dev/null this will create false positive ! and your mail will be lost to show evidiences -- "This message was sent using 100% recycled spam mails."
Re: Fishing
> Steve Thomas wrote: > >>/htt(?:p|ps):\/\/.*?\/.*\.com$/i >> > > Why not /https?:\/\/.*?\/.*\.com$/i Because I always forget that the question mark can be used that way, and if I can't seem to remember it, nobody else gets to use it! That's why. :) Nice catch. Steve "atrophying perl skills" Thomas
Re: Fishing
On 13 Sep 2006 [EMAIL PROTECTED] wrote: > the other way round - it is very easy to create a php that offers > an exe for download So jut scoring direct .exe links might > cause the bad guys to produce "better" download links True. As I said in an earlier post, scoring on bare executable URIs is a low-hanging-fruit test. Past that we stray into the realm of trying to analyze the URI vs. the displayed link text to see if it looks like it is an attempt to mask a hostile URI with a superficially trustworthy URI. Which has been discussed here before. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference is that Unix has had thirty years of technical types demanding basic functionality of it. And the Macintosh has had fifteen years of interface fascist users shaping its progress. Windows has the hairpin turns of the Microsoft marketing machine and that's all.-- Red Drag Diva --- 4 days until The 219th anniversary of the signing of the U.S. Constitution
Re: Fishing
Visit Wiki. Look for ClamAVPlugin. To save you some effort: http://wiki.apache.org/spamassassin/ClamAVPlugin This uses ClamAV as a scanner for virus laden email. SpamAssassin NEVER blocks email. You probably can, however, setup a simple filter for .exe etc in your MDA. You certainly can do it with procmail, for example. I found it more hassle than it was worth. {^_^} - Original Message - From: "Fábio Gomes" <[EMAIL PROTECTED]> Hi list, Is there any way to block messages with links to executables like *.exe, *.com and *.scr? Best Regards, Fábio Gomes
Re: Fishing
Steve Thomas wrote: /htt(?:p|ps):\/\/.*?\/.*\.com$/i Why not /https?:\/\/.*?\/.*\.com$/i ?
Re: Fishing
>> >> Bill Randle wrote: >> > Amavisd-new will also drop attachments with a configurable list >> > of file extentions, but the question refered to links to exe's, >> > not actual exe attachments. >> >> Good point -- everyone's primed to think of attachments, it seems. >> >> Here's a stab at it: set up a URI rule. >> >> uri EXECUTABLE_LINK/\.(?:exe|scr)$/i >> describe EXECUTABLE_LINKLinks to an executable file >> score EXECUTABLE_LINK10 >> >> Just a starting place, mind you -- you may want to make it more or less >> specific. And there may still be the occasional site running a binary >> CGI on Windows, such that the server will execute the EXE and output >> HTML, not offer the EXE for download. A .scr probably would not be used as a cgi... the other way round - it is very easy to create a php that offers an exe for download So jut scoring direct .exe links might cause the bad guys to produce "better" download links Wolfgang Hamann >> >> .com will, of course, be a challenge. >> >> -- >> Kelson Vibber >> SpeedGate Communications >>
Re: Fishing
>> .com will, of course, be a challenge. > > /htt[p|ps]:\/\/.*?\/.*\.com$/i Correction! That should be: /htt(p|ps):\/\/.*?\/.*\.com$/i and slightly more efficient (doesn't capture backreference): /htt(?:p|ps):\/\/.*?\/.*\.com$/i
Re: Fishing
> .com will, of course, be a challenge. /htt[p|ps]:\/\/.*?\/.*\.com$/i
Re: Fishing
On Wed, 13 Sep 2006, [iso-8859-1] F?bio Gomes wrote: > Is there any way to block messages with links to executables like > *.exe, > *.com and *.scr? I will be adding that to my email security tool this week. http://www.impsec.org/email-tools/procmail-security.html -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference is that Unix has had thirty years of technical types demanding basic functionality of it. And the Macintosh has had fifteen years of interface fascist users shaping its progress. Windows has the hairpin turns of the Microsoft marketing machine and that's all.-- Red Drag Diva --- 4 days until The 219th anniversary of the signing of the U.S. Constitution
Re: Fishing
Bill Randle wrote: Amavisd-new will also drop attachments with a configurable list of file extentions, but the question refered to links to exe's, not actual exe attachments. Good point -- everyone's primed to think of attachments, it seems. Here's a stab at it: set up a URI rule. uri EXECUTABLE_LINK/\.(?:exe|scr)$/i describe EXECUTABLE_LINKLinks to an executable file score EXECUTABLE_LINK10 Just a starting place, mind you -- you may want to make it more or less specific. And there may still be the occasional site running a binary CGI on Windows, such that the server will execute the EXE and output HTML, not offer the EXE for download. .com will, of course, be a challenge. -- Kelson Vibber SpeedGate Communications
Re: Fishing
> At 11:10 AM Wednesday, 9/13/2006, Michel Vaillancourt wrote -=> >>Fábio Gomes wrote: >> > Hi list, >> > >> > Is there any way to block messages with >> links to executables like *.exe, >> > *.com and *.scr? >> > >> >> If you are using Postfix as your MTA, this isn't hard to do at >> all. > > Or - if you are using procmail: > > #Delete all messages with exe attachments > :0 > * ^content-type: application/octet-stream > /dev/null Amavisd-new will also drop attachments with a configurable list of file extentions, but the question refered to links to exe's, not actual exe attachments. -Bill --
Re: Fishing
I didn't mean removing EXE attachments, but blocking/high scoring messages with links to executables in its body. Is it possible? BTW, I'm using qmail. Regards, Fábio Gomes Em Quarta 13 Setembro 2006 15:34, Ed Kasky escreveu: > At 11:10 AM Wednesday, 9/13/2006, Michel Vaillancourt wrote -=> > > >Fábio Gomes wrote: > > > Hi list, > > > > > > Is there any way to block messages with > > > > links to executables like *.exe, > > > > > *.com and *.scr? > > > > > > Best Regards, > > > Fábio Gomes > > > > If you are using Postfix as your MTA, this isn't hard to do at > > all. > > Or - if you are using procmail: > > #Delete all messages with exe attachments > > :0 > > * ^content-type: application/octet-stream > /dev/null > > Ed Kasky > ~ > Randomly Generated Quote (461 of 511): > The truth is a precious commodity. That's why I use it so sparingly. > - Mark Twain
Re: Fishing
At 11:10 AM Wednesday, 9/13/2006, Michel Vaillancourt wrote -=> Fábio Gomes wrote: > Hi list, > > Is there any way to block messages with links to executables like *.exe, > *.com and *.scr? > > Best Regards, > Fábio Gomes If you are using Postfix as your MTA, this isn't hard to do at all. Or - if you are using procmail: #Delete all messages with exe attachments :0 * ^content-type: application/octet-stream /dev/null Ed Kasky ~ Randomly Generated Quote (461 of 511): The truth is a precious commodity. That's why I use it so sparingly. - Mark Twain
Re: Fishing
At 11:09 AM 9/13/2006, you wrote: Hi list, Is there any way to block messages with links to executables like *.exe, *.com and *.scr? Not with SpamAssassin, but possibly with whatever MUA you have.
Re: Fishing
Fábio Gomes wrote: > Hi list, > > Is there any way to block messages with links to executables like > *.exe, > *.com and *.scr? > > Best Regards, > Fábio Gomes If you are using Postfix as your MTA, this isn't hard to do at all. -- -- Michel Vaillancourt Wolfstar Systems
Fishing
Hi list, Is there any way to block messages with links to executables like *.exe, *.com and *.scr? Best Regards, Fábio Gomes