RE: Fishing

[Bowie Bailey]

Loren Wilton wrote:
> > Correction! That should be:
> > 
> > /htt(p|ps):\/\/.*?\/.*\.com$/i
> > 
> > and slightly more efficient (doesn't capture backreference):
> > 
> > /htt(?:p|ps):\/\/.*?\/.*\.com$/i
> 
> Or maybe more simply and readably:
> 
> m'https?://.*/.*\.com$'i
> 
> But the .* things really should stop on something reasonable like >
> or \s or the like.  Otherwise you will get hits on
> 
> http://my/furball.org which is a dot.com

Or maybe just disallow whitespace:

m'https?://\S*/\S*\.com$'i

-- 
Bowie

Re: Fishing

[John Thompson]

On 2006-09-13, Fábio Gomes <[EMAIL PROTECTED]> wrote:

> I didn't mean removing EXE attachments, but blocking/high scoring messages 
> with links to executables in its body.
>
> Is it possible?

I would think it would be a little tricky, as the filter would have to 
follow the link to determine if it is in fact an executable vs just 
text. 

You could simply filter such messages to a quarantine area, and/or 
configure your mail client to not run executables by default, if it 
isn't already.

-- 

John ([EMAIL PROTECTED])

Re: Fishing

[Fábio Gomes]

Em Quarta 13 Setembro 2006 18:00, [EMAIL PROTECTED] escreveu:
> >> Bill Randle wrote:
> >> > Amavisd-new will also drop attachments with a configurable list
> >> > of file extentions, but the question refered to links to exe's,
> >> > not actual exe attachments.
> >>
> >> Good point -- everyone's primed to think of attachments, it seems.
> >>
> >> Here's a stab at it: set up a URI rule.
> >>
> >> uri   EXECUTABLE_LINK/\.(?:exe|scr)$/i
> >> describe  EXECUTABLE_LINKLinks to an executable file
> >> score EXECUTABLE_LINK10
> >>
> >> Just a starting place, mind you -- you may want to make it more or less
> >> specific.  And there may still be the occasional site running a binary
> >> CGI on Windows, such that the server will execute the EXE and output
> >> HTML, not offer the EXE for download.
>
> A .scr probably would not be used as a cgi...
>
> the other way round - it is very easy to create a php that offers an exe
> for download So jut scoring direct .exe links might cause the bad guys
> to produce "better" download links
>


I'm receiving lots of spams with bare links these days. Links to 
downloads 
using php are more rare. I don't mind if I'm going to block some cgi's 
(althought that could be a problem in the future), but right now I need to 
stop those nasty fishings.

I appretiate all the help I'm receiving. I find SA list very 
responsive. 
Thank you all.

Re: Fishing

[Loren Wilton]

Correction! That should be:

/htt(p|ps):\/\/.*?\/.*\.com$/i

and slightly more efficient (doesn't capture backreference):

/htt(?:p|ps):\/\/.*?\/.*\.com$/i


Or maybe more simply and readably:

   m'https?://.*/.*\.com$'i

But the .* things really should stop on something reasonable like > or \s or 
the like.  Otherwise you will get hits on


   http://my/furball.org which is a dot.com


   Loren

Re: Fishing

[Benny Pedersen]

On Wed, September 13, 2006 20:48, Fábio Gomes wrote:
> I didn't mean removing EXE attachments, but blocking/high scoring messages
> with links to executables in its body.
>
> Is it possible?

perldoc Mail::SpamAssassin::Plugin::AntiVirus

>> Or - if you are using procmail:
>> #Delete all messages with exe attachments
>>
>> :0
>> * ^content-type: application/octet-stream
>> /dev/null

this will create false positive !

and your mail will be lost to show evidiences

-- 
"This message was sent using 100% recycled spam mails."

Re: Fishing

[Steve Thomas]

> Steve Thomas wrote:
>
>>/htt(?:p|ps):\/\/.*?\/.*\.com$/i
>>
>
> Why not /https?:\/\/.*?\/.*\.com$/i

Because I always forget that the question mark can be used that way, and
if I can't seem to remember it, nobody else gets to use it! That's why. :)

Nice catch.

Steve "atrophying perl skills" Thomas

Re: Fishing

[John D. Hardin]

On 13 Sep 2006 [EMAIL PROTECTED] wrote:

> the other way round - it is very easy to create a php that offers
> an exe for download So jut scoring direct .exe links might
> cause the bad guys to produce "better" download links

True. As I said in an earlier post, scoring on bare executable URIs is
a low-hanging-fruit test.

Past that we stray into the realm of trying to analyze the URI vs. the
displayed link text to see if it looks like it is an attempt to mask a
hostile URI with a superficially trustworthy URI. Which has been
discussed here before.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference is that Unix has had thirty years of technical
  types demanding basic functionality of it. And the Macintosh has
  had fifteen years of interface fascist users shaping its progress.
  Windows has the hairpin turns of the Microsoft marketing machine
  and that's all.-- Red Drag Diva
---
 4 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Fishing

[jdow]

Visit Wiki. Look for ClamAVPlugin. To save you some effort:
http://wiki.apache.org/spamassassin/ClamAVPlugin

This uses ClamAV as a scanner for virus laden email.

SpamAssassin NEVER blocks email. You probably can, however, setup a
simple filter for .exe etc in your MDA. You certainly can do it with
procmail, for example. I found it more hassle than it was worth.

{^_^}
- Original Message - 
From: "Fábio Gomes" <[EMAIL PROTECTED]>



Hi list,

Is there any way to block messages with links to executables like *.exe,
*.com and *.scr?

Best Regards,
Fábio Gomes 

Re: Fishing

[Andreas Pettersson]

Steve Thomas wrote:


/htt(?:p|ps):\/\/.*?\/.*\.com$/i

 



Why not /https?:\/\/.*?\/.*\.com$/i
?

Re: Fishing

[hamann . w]

>> 
>> Bill Randle wrote:
>> > Amavisd-new will also drop attachments with a configurable list
>> > of file extentions, but the question refered to links to exe's,
>> > not actual exe attachments.
>> 
>> Good point -- everyone's primed to think of attachments, it seems.
>> 
>> Here's a stab at it: set up a URI rule.
>> 
>> uri   EXECUTABLE_LINK/\.(?:exe|scr)$/i
>> describe  EXECUTABLE_LINKLinks to an executable file
>> score EXECUTABLE_LINK10
>> 
>> Just a starting place, mind you -- you may want to make it more or less 
>> specific.  And there may still be the occasional site running a binary 
>> CGI on Windows, such that the server will execute the EXE and output 
>> HTML, not offer the EXE for download.

A .scr probably would not be used as a cgi...

the other way round - it is very easy to create a php that offers an exe for 
download
So jut scoring direct .exe links might cause the bad guys to produce "better" 
download
links

Wolfgang Hamann

>> 
>> .com will, of course, be a challenge.
>> 
>> -- 
>> Kelson Vibber
>> SpeedGate Communications 
>> 

Re: Fishing

[Steve Thomas]

>> .com will, of course, be a challenge.
>
> /htt[p|ps]:\/\/.*?\/.*\.com$/i

Correction! That should be:

/htt(p|ps):\/\/.*?\/.*\.com$/i

and slightly more efficient (doesn't capture backreference):

/htt(?:p|ps):\/\/.*?\/.*\.com$/i

Re: Fishing

[Steve Thomas]

> .com will, of course, be a challenge.

/htt[p|ps]:\/\/.*?\/.*\.com$/i

Re: Fishing

[John D. Hardin]

On Wed, 13 Sep 2006, [iso-8859-1] F?bio Gomes wrote:

>   Is there any way to block messages with links to executables like 
> *.exe, 
> *.com and *.scr?

I will be adding that to my email security tool this week.

http://www.impsec.org/email-tools/procmail-security.html

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference is that Unix has had thirty years of technical
  types demanding basic functionality of it. And the Macintosh has
  had fifteen years of interface fascist users shaping its progress.
  Windows has the hairpin turns of the Microsoft marketing machine
  and that's all.-- Red Drag Diva
---
 4 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Fishing

[Kelson]

Bill Randle wrote:

Amavisd-new will also drop attachments with a configurable list
of file extentions, but the question refered to links to exe's,
not actual exe attachments.


Good point -- everyone's primed to think of attachments, it seems.

Here's a stab at it: set up a URI rule.

uri   EXECUTABLE_LINK/\.(?:exe|scr)$/i
describe  EXECUTABLE_LINKLinks to an executable file
score EXECUTABLE_LINK10

Just a starting place, mind you -- you may want to make it more or less 
specific.  And there may still be the occasional site running a binary 
CGI on Windows, such that the server will execute the EXE and output 
HTML, not offer the EXE for download.


.com will, of course, be a challenge.

--
Kelson Vibber
SpeedGate Communications 

Re: Fishing

[Bill Randle]

> At 11:10 AM Wednesday, 9/13/2006, Michel Vaillancourt wrote -=>
>>Fábio Gomes wrote:
>> > Hi list,
>> >
>> >   Is there any way to block messages with
>> links to executables like *.exe,
>> > *.com and *.scr?
>> >
>>
>> If you are using Postfix as your MTA, this isn't hard to do at
>> all.
>
> Or - if you are using procmail:
>
> #Delete all messages with exe attachments
> :0
> * ^content-type: application/octet-stream
> /dev/null

Amavisd-new will also drop attachments with a configurable list
of file extentions, but the question refered to links to exe's,
not actual exe attachments.

-Bill



-- 

Re: Fishing

[Fábio Gomes]

I didn't mean removing EXE attachments, but blocking/high scoring messages 
with links to executables in its body.

Is it possible?

BTW, I'm using qmail.

Regards,
Fábio Gomes

Em Quarta 13 Setembro 2006 15:34, Ed Kasky escreveu:
> At 11:10 AM Wednesday, 9/13/2006, Michel Vaillancourt wrote -=>
>
> >Fábio Gomes wrote:
> > > Hi list,
> > >
> > >   Is there any way to block messages with
> >
> > links to executables like *.exe,
> >
> > > *.com and *.scr?
> > >
> > >   Best Regards,
> > >   Fábio Gomes
> >
> > If you are using Postfix as your MTA, this isn't hard to do at
> > all.
>
> Or - if you are using procmail:
>
> #Delete all messages with exe attachments
>
> :0
>
> * ^content-type: application/octet-stream
> /dev/null
>
> Ed Kasky
> ~
> Randomly Generated Quote (461 of 511):
> The truth is a precious commodity. That's why I use it so sparingly.
> - Mark Twain

Re: Fishing

[Ed Kasky]

At 11:10 AM Wednesday, 9/13/2006, Michel Vaillancourt wrote -=>

Fábio Gomes wrote:
> Hi list,
>
>   Is there any way to block messages with 
links to executables like *.exe,

> *.com and *.scr?
>
>   Best Regards,
>   Fábio Gomes

If you are using Postfix as your MTA, this isn't hard to do at all.


Or - if you are using procmail:

#Delete all messages with exe attachments
:0
* ^content-type: application/octet-stream
/dev/null

Ed Kasky
~
Randomly Generated Quote (461 of 511):
The truth is a precious commodity. That's why I use it so sparingly.
- Mark Twain

Re: Fishing

[Evan Platt]

At 11:09 AM 9/13/2006, you wrote:

Hi list,

Is there any way to block messages with links to 
executables like *.exe,

*.com and *.scr?


Not with SpamAssassin, but possibly with whatever MUA you have. 

Re: Fishing

[Michel Vaillancourt]

Fábio Gomes wrote:
> Hi list,
> 
>   Is there any way to block messages with links to executables like 
> *.exe, 
> *.com and *.scr?
> 
>   Best Regards,
>   Fábio Gomes

If you are using Postfix as your MTA, this isn't hard to do at all.

-- 
-- Michel Vaillancourt
Wolfstar Systems

Fishing

[Fábio Gomes]

Hi list,

Is there any way to block messages with links to executables like 
*.exe, 
*.com and *.scr?

Best Regards,
Fábio Gomes