advanced regexing RSS

1

oh hey this is the 500th post, cool

anyway, i have an issue with several emails getting thru from hacked aol/yahoo accounts

all are in the format of:

line 1: random greeting from a list
line 2: random sentence saying how good the spam is
line 3: spam url
line 4: random closing from a list

example:
Hola friend!
hello this is1 fortune knocking at your door literally don't ignore this
http://vincedaddy.com/profile/68PhilipMurray/
c ya

so - is there a way to block any url on the 3rd line of a body?

the lengths of the lines are always similar, that is short, long, url, short

i have noticed that 75% of them do have /profile/##CapsLetter/ like that, maybe it's best to just key off of the url format?

by Bryon 7 years ago
2

@Bryon: building a complex regex against this type of spam is unnecessary: the URL in the body is listed in at least one of the recommended URL blacklists (uribl.com, I did not check the others), so ORF is able to block this automatically.

Please make sure you have the URL Blacklist test enabled (Administration Tool: Configuration / Tests / Tests) and that you have the recommended URL Blacklists enabled (Configuration / Filtering - On Arrival / URL Blacklists, you should have Spamhaus DBL, SURBL: Combined, and uribl.com enabled), see our best practices guide at http://www.vamsoft.com/downloads/getmostguide.pdf. Finally, save your settings by pressing Ctrl + S to apply the changes.

If you already have this three online blacklist enabled but the email was allowed through none the less, I recommend checking the log to see whether the email was accidentally whitelisted.

A regex blocking emails with URLs in their third line would definitely cause false positives, so we do not recommend adding such manual rule.

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

3

Ah i see - the specific email address was whitelisted previously... and the whitelist overrides the url blacklist. Thanks!

by Bryon 7 years ago
4

@Bryon: Yes, basically whitelists always take precedence over blacklist, though some specific blacklist test can be excepted from the scope of whitelists under Configuration / Tests / Tests, Whitelist exceptions (e.g., it does not make sense to allow the email in if there are no valid recipients, even if the sender is whitelisted).

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed