advanced regexing - ORF Forums

advanced regexing RSS Back to forum

1

oh hey this is the 500th post, cool

anyway, i have an issue with several emails getting thru from hacked aol/yahoo accounts

all are in the format of:

line 1: random greeting from a list
line 2: random sentence saying how good the spam is
line 3: spam url
line 4: random closing from a list

example:
Hola friend!
hello this is1 fortune knocking at your door literally don't ignore this
http://vincedaddy.com/profile/68PhilipMurray/
c ya

so - is there a way to block any url on the 3rd line of a body?

the lengths of the lines are always similar, that is short, long, url, short

i have noticed that 75% of them do have /profile/##CapsLetter/ like that, maybe it's best to just key off of the url format?

by Bryon 7 years ago
2

@Bryon: building a complex regex against this type of spam is unnecessary: the URL in the body is listed in at least one of the recommended URL blacklists (uribl.com, I did not check the others), so ORF is able to block this automatically.

Please make sure you have the URL Blacklist test enabled (Administration Tool: Configuration / Tests / Tests) and that you have the recommended URL Blacklists enabled (Configuration / Filtering - On Arrival / URL Blacklists, you should have Spamhaus DBL, SURBL: Combined, and uribl.com enabled), see our best practices guide at http://www.vamsoft.com/downloads/getmostguide.pdf. Finally, save your settings by pressing Ctrl + S to apply the changes.

If you already have this three online blacklist enabled but the email was allowed through none the less, I recommend checking the log to see whether the email was accidentally whitelisted.

A regex blocking emails with URLs in their third line would definitely cause false positives, so we do not recommend adding such manual rule.

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

3

Ah i see - the specific email address was whitelisted previously... and the whitelist overrides the url blacklist. Thanks!

by Bryon 7 years ago
4

@Bryon: Yes, basically whitelists always take precedence over blacklist, though some specific blacklist test can be excepted from the scope of whitelists under Configuration / Tests / Tests, Whitelist exceptions (e.g., it does not make sense to allow the email in if there are no valid recipients, even if the sender is whitelisted).

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2