OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: about some questions in PCRE used in body_checks

From: Bruce Cheng (etbrucegmail.com)
Date: Thu Nov 09 2006 - 04:16:20 CST

Hi Noel,

Thank you very much. That link is very useful.
By the way, is there any script be used in linux platform to decode
that cgi format ?

I have some spams rules which sometimes can't work, would you please
advise me how to correct them ?

I don't want this message to be quarantined as SPAM, I insert some
spaces within the links.

Thank you in advance.

1. all numbers {dot} org and some of them ending with "/"
# http:// nmnmokhk .to.8800.org/
# http:// xbgrt4 .at.7766.org
# http:// treyt4 .to.6600.org/

/.\d{4,}.org\/./ REJECT

2. # http:// www. s061027 .idv.tw/toy/
/.\S\d{4,}.idv.tw/ REJECT

3. # http:// 123-456 .net/ www.twyes-xxx.com
/\/123\-456.net/ REJECT

In this case, should I protect "-" with "/" ? if I do this, sometimes
it works, but does not work forever

4. # http:// ehrdle. eciplery.net/?95958807
/\.(info|net|com)\/\?\d{6,}/ REJECT

5. # http://www. twgirl-vcd03 .com/ http://www. twgirl-dvd03 .com/
/.twgirl\-(vcd|dvd)\d\d.com/ REJECT

the same situation.

2006/11/9, Noel Jones <njonesmegan.vbhcs.org>:
> At 09:41 AM 11/8/2006, Bruce Cheng wrote:
> >Dear all,
> >
> >I have some doubts about using PCRE in body_checks. I am
> >not sure
> >where I am wrong so that it sometimes can reject the SPAMs, but
> >sometimes can't.
> >The followings are my conifiguration, please help me, it
> >has been
> >confused me for a long time and I did a log of changes,
> >but still
> >can't figure out what happened.
> >
> ># grep body_checks /etc/postfix/main.cf
> >body_checks_size_limit = 204800
> >body_checks = pcre:/etc/postfix/conf/my_body_checks
> >
> ># more /etc/postfix/conf/my_body_checks
> >...
> >/61\.67\.214\.22\// REJECT
> >/\/natallwa\.info/ REJECT
> >/\/[0-9]\.xps\.to/ REJECT
> ># http://www.twgirl-vcd03.com/ http://www.twgirl-dvd03.com/
> >/\.twgirl\-(vcd|dvd)\d\d\.com\// REJECT
> >/\.avmai\d\d\d\d\.com/ REJECT
> >/\.quick\-sys\-to\-rich\.com/ REJECT
> >/\/*sexangel\.com\// REJECT
> >
> >I read some perl articles and read Ralf & Patrick's
> >postfix (the great
> >book) , it seems to be used "\d" "\s" and so on, need to
> >protect - . *
> >/ and so on. But it is very strange that sometimes can
> >work but not
> >forever.
> >
> >I thought it was due to "body_checks_size_limit" so that I
> >changed it
> >from default value 51200 to 204800. Somes message are not
> >rejected at
> >smtp session but blocked in Spamassassin and the size are
> >less then
> >51K.
> >
> >Would you please advise me how to do it ?
> >
> >How should I set the rules to reject like the following link?
> >These(the same link) are happened more than 20 times per
> >day, I don't
> >want to receive them and pass to Spamassassin, I hope I
> >can reject
> >them right away. And is there any tools to decode this CGI
> >link ?
> >
> >http://%73%65%61%72%63%68%2e%77%77%77%2e%69%6e%66%6f%73%65%65%6b%2e%63%6f%2e%6a%70/%72%65%64%69%72%65%63%74?%72%64=%
> >68%74%74%70%3a%2f%2f%77%77%77%2e%64%76%64%31%30%30%6e%74%2e%63%6f%6d%2f%69%6e%64%65%78%2e%70%68%70%3f%6d%69%64%3d%6d%6
> >1%69%6c%65%72%38%38%38
> >
> >And from my test, postfix seems to parse this to be normal
> >strings, doesn't it ?
> >
> >Please advise me and thank you in advance.
>
> postfix body_checks and header_checks parse the literal
> content of the message, not the decoded part shown by your
> mail reader.
> To reject an encoded link, you must use an exact match in
> your body_checks expression. Also note that an encoded
> link may span several physical lines, postfix body_checks
> can only match one line.
> # body_checks
> ~http://%73%65%61%72%63%68%2e%77%77%77%2e%69%6e%66%6f%73%65%65%6b~
> REJECT unwanted link.
>
> There is a URL deobfuscator on dnsstuff.com that will
> decode the link.
>
> --
> Noel Jones
>
>

--
Best Regards,
Bruce Cheng