advanced regexing RSS Back to forum
@Bryon:
building a complex regex against this type of spam is unnecessary: the URL in the body is listed in at least one of the recommended URL blacklists (uribl.com, I did not check the others), so ORF is able to block this automatically.
Please make sure you have the URL Blacklist test enabled (Administration Tool: Configuration / Tests / Tests) and that you have the recommended URL Blacklists enabled (Configuration / Filtering - On Arrival / URL Blacklists, you should have Spamhaus DBL, SURBL: Combined, and uribl.com enabled), see our best practices guide at http://www.vamsoft.com/downloads/getmostguide.pdf. Finally, save your settings by pressing Ctrl + S to apply the changes.
If you already have this three online blacklist enabled but the email was allowed through none the less, I recommend checking the log to see whether the email was accidentally whitelisted.
A regex blocking emails with URLs in their third line would definitely cause false positives, so we do not recommend adding such manual rule.
Ah i see - the specific email address was whitelisted previously... and the whitelist overrides the url blacklist. Thanks!
@Bryon: Yes, basically whitelists always take precedence over blacklist, though some specific blacklist test can be excepted from the scope of whitelists under Configuration / Tests / Tests, Whitelist exceptions (e.g., it does not make sense to allow the email in if there are no valid recipients, even if the sender is whitelisted).
oh hey this is the 500th post, cool
anyway, i have an issue with several emails getting thru from hacked aol/yahoo accounts
all are in the format of:
line 1: random greeting from a list
line 2: random sentence saying how good the spam is
line 3: spam url
line 4: random closing from a list
example:
Hola friend!
hello this is1 fortune knocking at your door literally don't ignore this
http://vincedaddy.com/profile/68PhilipMurray/
c ya
so - is there a way to block any url on the 3rd line of a body?
the lengths of the lines are always similar, that is short, long, url, short
i have noticed that 75% of them do have /profile/##CapsLetter/ like that, maybe it's best to just key off of the url format?