Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Help with a filter
  FAQ FAQ  Forum Search   Register Register  Login Login

Help with a filter

 Post Reply Post Reply
Author
corymckee View Drop Down
Newbie
Newbie


Joined: 10 June 2007
Status: Offline
Points: 31
Post Options Post Options   Thanks (0) Thanks(0)   Quote corymckee Quote  Post ReplyReply Direct Link To This Post Topic: Help with a filter
    Posted: 15 August 2007 at 11:36am
We are getting a lot of email through the filter with similar text:
 

Mother(ish@jp.fid-intl.com) has created Holiday card for you at lakecards.com.

 

To see your custom Holiday card, simply click on the following link:

 

http://76.20.220.92/

 

Send a FREE greeting card from lakecards.com whenever you want by visiting us at:

This service is provided and hosted by lakecards.com.

 

 

 

 

I would like to create a filter that junks all email that include a URL with an IP address in it.

 

What would be the best way to do this?

 

Back to Top
Roman View Drop Down
Newbie
Newbie


Joined: 04 November 2005
Location: Russian Federation
Status: Offline
Points: 32
Post Options Post Options   Thanks (0) Thanks(0)   Quote Roman Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 11:54am
((?i)http://{1,3}\d\.{1,3}\d\.{1,3}\d\.{1,3}\d/) should make it

Edited by Roman - 15 August 2007 at 11:56am
Back to Top
corymckee View Drop Down
Newbie
Newbie


Joined: 10 June 2007
Status: Offline
Points: 31
Post Options Post Options   Thanks (0) Thanks(0)   Quote corymckee Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 11:55am
Thanks for the quick reply.
Back to Top
Thermo View Drop Down
Newbie
Newbie


Joined: 10 July 2006
Location: Canada
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote Thermo Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 2:41pm
I am testing this in SFI RegEx Testing area, I removed the parenthesis as per the instructions and put in http://209.65.55.50 in the search pane I just get the result Not Found.

Am I doing something wrong in my testing.

Thanks.
Back to Top
Roman View Drop Down
Newbie
Newbie


Joined: 04 November 2005
Location: Russian Federation
Status: Offline
Points: 32
Post Options Post Options   Thanks (0) Thanks(0)   Quote Roman Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 3:05pm
Not "http://209.65.55.50" but "http://209.65.55.50/".
Or remove the last "/" in regexp.
Back to Top
Thermo View Drop Down
Newbie
Newbie


Joined: 10 July 2006
Location: Canada
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote Thermo Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 3:12pm
I noticed my missing "/" in my search pane just after posting so I tried it with it in but it made no difference. Any ideas?

Thanks
Back to Top
Roman View Drop Down
Newbie
Newbie


Joined: 04 November 2005
Location: Russian Federation
Status: Offline
Points: 32
Post Options Post Options   Thanks (0) Thanks(0)   Quote Roman Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 3:38pm
my bad:
((?i)http://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)


Edited by Roman - 15 August 2007 at 3:39pm
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 4:05pm
Hmmm ... My 2 cents
((?i)http(s?)://([\d]{1,3}[\.+]){3}[\d]{1,3}/)
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
Thermo View Drop Down
Newbie
Newbie


Joined: 10 July 2006
Location: Canada
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote Thermo Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 4:13pm
That did it, Thanks.

I have to learn RegEx.
Back to Top
Roman View Drop Down
Newbie
Newbie


Joined: 04 November 2005
Location: Russian Federation
Status: Offline
Points: 32
Post Options Post Options   Thanks (0) Thanks(0)   Quote Roman Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 4:21pm
m-m-m, recursion :)
but why "[]" and "+", isn't

((?i)http(s?)://(\d{1,3}\.){3}\d{1,3}/)

enough?
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 4:37pm
Old habbits die hard!  I tend to program in Perl and often to go cross-platform, I need to get VERY picky.  As the horrible saying goes ... "there is more than one way to skin a cat".  (I hope the ASPCA doesn't read this)
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
Roman View Drop Down
Newbie
Newbie


Joined: 04 November 2005
Location: Russian Federation
Status: Offline
Points: 32
Post Options Post Options   Thanks (0) Thanks(0)   Quote Roman Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 4:53pm
I see. I've just asked to be sure I'm not missing something.
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 15 August 2007 at 5:02pm
You could also modify it as below in case the Spam Site in NOT on port 80
((?i)http(s?)://(\d{1,3}\.){3}\d{1,3}(:|/))
OR ... just leave the last part off and any http request to an IP address will also get wacked.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
IKILLSPAM1 View Drop Down
Groupie
Groupie


Joined: 02 May 2007
Location: United States
Status: Offline
Points: 70
Post Options Post Options   Thanks (0) Thanks(0)   Quote IKILLSPAM1 Quote  Post ReplyReply Direct Link To This Post Posted: 16 August 2007 at 10:11am
Ive also recently put in some regex to block emails with numeric hyperlinks in them. every little bit helps i guess. its blocked about 15 emails since yesterday.
 
I wish I had the time and will power to learn regex as well. I was trying to find a good regex to deal with the pdf crap but wasnt able to. Im seeing people like to keep their regex's safe from spammer eyes. If anyone wants to share their regex's id be honored!
 
 
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 August 2007 at 11:29am
All,
 
One issue I have with the above RegEx's (which I use and get thousands of blocks) is that I also scan headers and Barracudas put a screwy header in which causes a block.  Example:
X-Barracuda-URL: http://198.136.134.18:8000/cgi-bin/mark.cgi
I have yet to understand *why* the header is even added.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
IKILLSPAM1 View Drop Down
Groupie
Groupie


Joined: 02 May 2007
Location: United States
Status: Offline
Points: 70
Post Options Post Options   Thanks (0) Thanks(0)   Quote IKILLSPAM1 Quote  Post ReplyReply Direct Link To This Post Posted: 16 August 2007 at 2:43pm
Thanks for the headsup Dan. I will keep an eye out for that.
Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 17 August 2007 at 3:53pm
Here's one I use.  If what looks like an i.p.-based url is preceded by "card" anywhere in the message (including a different line), this will match.

[code]((?is)card.*https?://\d\d)[code]

On the plus side, this should hopefully reduce the likelihood of matching URLs within mail-headers.

I realize spammers may possible drift in here to learn some of our techniques, but I think that this discussion still helps more than it hurts.

Stephen

p.s. Thanks Dan, for thinking about https too - I added that after the fact Smile


Edited by sgeorge - 17 August 2007 at 3:54pm
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.066 seconds.