Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Scanning Headers
  FAQ FAQ  Forum Search   Register Register  Login Login

Scanning Headers

 Post Reply Post Reply
Author
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Topic: Scanning Headers
    Posted: 06 June 2005 at 12:54pm

All,

Trying to detect:

Received: from [153.160.239.84] (port=3379 helo=[Jan])

In the headers with no success.  I have a working RegEx but it still doesn't see it. I have the setting ScanReceivedHeaders=1 in my INI file.  I have a keyword of:

((?i)received: from \[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)

Thoughts?

Regards,

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 12 June 2005 at 4:55pm

OK then ... I will answer myself.

The following *DOES* work
((?i)\[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)

Leaving the "received: from" part out.

Regards,

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
kspare View Drop Down
Senior Member
Senior Member


Joined: 26 January 2005
Location: Canada
Status: Offline
Points: 334
Post Options Post Options   Thanks (0) Thanks(0)   Quote kspare Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2005 at 2:47am
What is the advantage of that regex?
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2005 at 7:20am

Kevin,

I am finding a stupid amount of spam with something like:
Received: from [43.53.50.36] (port=3173 helo=[Armand])

in the headers.  I have a zero false positive so far by killing messages with this type of header and an catching a lot.

Regards,

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
kspare View Drop Down
Senior Member
Senior Member


Joined: 26 January 2005
Location: Canada
Status: Offline
Points: 334
Post Options Post Options   Thanks (0) Thanks(0)   Quote kspare Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2005 at 9:38am
Interesting, I'm always curious to try out your stuff, so I just need that regex as it sits?
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2005 at 9:50am

Kevin,

((?i)\[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)

Should work.

EXAMPLE:

 
2  Text OR HTML    joe@domain.net Heriberto@wsm.com i have seen some sh*t, but this. 6/13/2005 9:50:18 AM Keywords found in content Found Keywords: [((?i)\[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)] SID=5 mx01
3  Text OR HTML    joe@domain.net Heriberto@wsm.com i have seen some sh*t, but this. 6/13/2005 9:50:16 AM Keywords found in content Found Keywords: [((?i)\[(\d+?\.){3}(\d+?)\] \(port\=(\d){3,} helo=\[)] SID=5 mx0
Regards,

Edited by Desperado
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
kspare View Drop Down
Senior Member
Senior Member


Joined: 26 January 2005
Location: Canada
Status: Offline
Points: 334
Post Options Post Options   Thanks (0) Thanks(0)   Quote kspare Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2005 at 9:57am
Does it require subject: before it or just throw it in the keywords black list?
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2005 at 10:08am

Throw it in EXACTLY as is but make sure your ini setting for headder scanning in turned on.

ScanReceivedHeaders=1

This is a "Recieved" line in the header.

Regards,

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.063 seconds.