Re: Custom rule problem

Tue, 31 Jan 2017 11:54:12 -0800 

On Tue, 31 Jan 2017, Zinski, Steve wrote:


Here’s the “view source” of the message in question.

http://pastebin.com/AnwkAf9t

Again, it’s line 88 that I’m trying to match.


...let's try this again...

A uri rule hits that here:

Jan 31 09:21:07.423 [21842] dbg: rules: ran uri rule __ALL_URI ======> got hit: 
"http://trc.spam_domain_redacted.com/redirect.php?email=redac...@uronline.net";

It also hits an existing rule:

Jan 31 09:21:07.525 [21842] dbg: rules: ran rawbody rule __BUGGED_IMG ======> got hit: 
"<img src="http://trc.spam_domain_redacted.com/redirect.php?email=re";



On 1/31/17, 11:36 AM, "John Hardin" <jhar...@impsec.org> wrote:

   On Tue, 31 Jan 2017, Zinski, Steve wrote:

   > I’m trying to write a custom rule to block a certain type of spam. When I 
view the message source, the very last lines of the spam look like this:
   >
   > </table>
   > <DEFANGED_IMG 
src="http://trc.spammersdomain.com/redirect.php?email=redac...@richmond.edu";>
   > </body>
   > </html>
   >
   > Every single rule that I’ve written fails to detect that redirect.php URI. 
I’ve even tried a rule that simply reads:
   >
   > Full          my_rule                 /redirect/is
   > Score      my_rule                 10.0
   >
   > No match. I’ve tried full, rawbody, uri, and body, all to no avail. I’ve 
even shortened the search string to “redi” (it’s a unique word) and still no 
match. I’ve been writing rules for many years and this is the first time I’ve seen 
this behavior. Any ideas?

   If you have a rule dev environment (vs. testing rules in your live
   install) I've found something like this to be really useful:

        uri     __ALL_URI   /.*/
        tflags  __ALL_URI   multiple

   Then all the detected URIs appear in the rule hits debug output.

   Post the full email on Pastebin or similar, we can't meaningfully comment
   on what you provided beyond "uri *should* work for that".


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 Tomorrow: the 14th anniversary of the loss of STS-107 Columbia

Reply via email to