From: Adam Levin (alevinaudible.com)
Date: Thu Apr 03 2003 - 15:18:43 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 3 Apr 2003, Jim Trigg wrote:
> On Thu, Apr 03, 2003 at 10:01:52AM -0500, Jim Trigg wrote:
> > On Thu, Apr 03, 2003 at 09:48:50AM -0500, Adam Levin wrote:
> > > What I've been playing with is a (probably horribly inefficient) PCRE for
> > > a particular mail that came in that way. To match an HTML comment, I use
...
> > > /f(<![^>]+>)?o(<![^>]+>)?o(<![^>]+>)?b(<![^>]+>)?a(<![^>]+>)?r/
> > > Using backreferences might be the way to go, here, since that way you can
> > > match any line that contains more than one instance of a gibberish
> > > comment.
> >
> > One possibility I've considered is \w+<![^>]+>\w+<![^>]+>\w+ -- that will
> > catch any case of a single string of alphanumerics with at least two
> > embedded HTML comments, if I constructed it correctly.
>
> The comment I forgot to make is that since in the spam I've seen the
> comments are not all identical (just all comments), wildcards will
> work fine for this purpose.

That's good, though I don't think it'll catch lines where the comment
wraps to the next line, unless multi-line mode is enable, which probably
makes it even more heinously inefficient. :) Is that even an option in
postfix (I assume PCRE really means PCRE, in which case it should work.)

Still don't know what to do about that base64 encoding. We get some of
our people mailing small files back and forth, so I can't just block
encoded mail. Maybe I can search for both content-type as text/html and
then base64 -- any files sent should be octet-stream, right?

-Adam

Adam Levin, Senior Unix Systems Administrator | http://www.audible.com/
Audible, Inc. Cum catapultae proscriptae erunt tum
Wayne, NJ, 07470 soli proscripti catapultas habebunt
973-837-2797

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]