Handling hyperlinks in email RSS

1

Is there any way to handle bogus hyperlinks in emails? We get spam with hyperlinks embedded in the email with href' tags pointing to 'drive by infection' sites. I see them as being Grey listed but then passing on second try.

by Bazagee 6 years ago
2

@Bazagee: do you have the SURBL Blacklist test enabled and the recommended blacklists enabled?

http://vamsoft.com/r?o-hto-adm-urlblacklist

http://vamsoft.com/support/docs/knowledge-base/recommended-dnsbls-surbls-agents

If so, is ORF able to perform all queries successfully (you can verify this by checking the logs: http://vamsoft.com/support/docs/knowledge-base/using-the-log-viewer)?

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

3

Yes SURBL was enabled on Arrival. I was missing the Spamhaus lookup so I have added the newest SURBL list and enabled that lookup. This was post adding new list:
Active SURBLs: black.uribl.com, MULTI-SURBL, AB-SURBL, OB-SURBL, WS-SURBL, SC-SURBL.

I don't see any errors but I'm not sure I'm filtering the records correctly? At the moment am filtering SURBL in the Message column...

by Bazagee 6 years ago
4

@Bazagee: You could disable AB-SURBL, OB-SURBL, WS-SURBL and SC-SURBL, as these are included in the MULTI-SURBL definition by default. Filtering the logs for .*SURBL.* in the message column (regular expression) should be fine, plus I recommend setting the severity to "Information" (invert rule), so you will see all errors, critical errors and warnings.

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

5

Just an observation, but it would be sure nice to have a little more correlation between the SURBL name long form and its reported short form. Eg. Which is the WS-SURBL? I can figure it out but enabling and disabling then reading the log. But I'm thinking with a better long name form recognition could be a lot easier. Or am I just being pedantic?

Ok now have SURBLs: black.uribl.com, SPAMHAUS-DBL, MULTI-SURBL, UB-BLACK. I'll see how the bogus HTML links go now.
Thanks

by Bazagee 6 years ago
6

@Bazagee: Actually, black.uribl.com and UB-BLACK are the same... I suspect you added the first manually for some reason instead of importing our definition set, hence the duplicate:

http://vamsoft.com/support/docs/knowledge-base/update-dnsbl-surbl

As for the short identifiers, by default we use the names and short IDs given by the blacklist operators (e.g., http://www.surbl.org/lists#ws). You can rewrite any of the short identifiers inserted in the log message in the definitions (Administration Tool: Blacklists / SURBL Test, double click the SURBL).

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed