LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   We are getting a lot of email through the filter with similar text:

Mother(ish@jp.fid-intl.com) has created Holiday card for you at lakecards.com.

To see your custom Holiday card, simply click on the following link:

http://76.20.220.92/

Send a FREE greeting card from lakecards.com whenever you want by visiting us at:
This service is provided and hosted by lakecards.com.

I would like to create a filter that junks all email that include a URL with an IP address in it.

What would be the best way to do this?

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
corymckee Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 10 June 2007 Status: Offline Points: 31	Post Options Post Reply Quote corymckee Report Post Thanks(0) Quote Reply Topic: Help with a filter Posted: 15 August 2007 at 11:36am
	We are getting a lot of email through the filter with similar text: Mother(ish@jp.fid-intl.com) has created Holiday card for you at lakecards.com. To see your custom Holiday card, simply click on the following link: http://76.20.220.92/ Send a FREE greeting card from lakecards.com whenever you want by visiting us at: This service is provided and hosted by lakecards.com. I would like to create a filter that junks all email that include a URL with an IP address in it. What would be the best way to do this?

Roman Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 04 November 2005 Location: Russian Federation Status: Offline Points: 32	Post Options Post Reply Quote Roman Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 11:54am
	((?i)http://{1,3}\d\.{1,3}\d\.{1,3}\d\.{1,3}\d/) should make it Edited by Roman - 15 August 2007 at 11:56am

corymckee Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 10 June 2007 Status: Offline Points: 31	Post Options Post Reply Quote corymckee Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 11:55am
	Thanks for the quick reply.

Thermo Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 10 July 2006 Location: Canada Status: Offline Points: 25	Post Options Post Reply Quote Thermo Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 2:41pm
	I am testing this in SFI RegEx Testing area, I removed the parenthesis as per the instructions and put in http://209.65.55.50 in the search pane I just get the result Not Found. Am I doing something wrong in my testing. Thanks.

Roman Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 04 November 2005 Location: Russian Federation Status: Offline Points: 32	Post Options Post Reply Quote Roman Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 3:05pm
	Not "http://209.65.55.50" but "http://209.65.55.50/". Or remove the last "/" in regexp.

Thermo Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 10 July 2006 Location: Canada Status: Offline Points: 25	Post Options Post Reply Quote Thermo Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 3:12pm
	I noticed my missing "/" in my search pane just after posting so I tried it with it in but it made no difference. Any ideas? Thanks

Roman Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 04 November 2005 Location: Russian Federation Status: Offline Points: 32	Post Options Post Reply Quote Roman Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 3:38pm
	my bad: ((?i)http://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) Edited by Roman - 15 August 2007 at 3:39pm

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 4:05pm
	Hmmm ... My 2 cents ((?i)http(s?)://([\d]{1,3}[\.+]){3}[\d]{1,3}/)
	The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com

Thermo Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 10 July 2006 Location: Canada Status: Offline Points: 25	Post Options Post Reply Quote Thermo Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 4:13pm
	That did it, Thanks. I have to learn RegEx.

Roman Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 04 November 2005 Location: Russian Federation Status: Offline Points: 32	Post Options Post Reply Quote Roman Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 4:21pm
	m-m-m, recursion :) but why "[]" and "+", isn't ((?i)http(s?)://(\d{1,3}\.){3}\d{1,3}/) enough?

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 4:37pm
	Old habbits die hard! I tend to program in Perl and often to go cross-platform, I need to get VERY picky. As the horrible saying goes ... "there is more than one way to skin a cat". (I hope the ASPCA doesn't read this)
	The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com

Roman Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 04 November 2005 Location: Russian Federation Status: Offline Points: 32	Post Options Post Reply Quote Roman Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 4:53pm
	I see. I've just asked to be sure I'm not missing something.

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 15 August 2007 at 5:02pm
	You could also modify it as below in case the Spam Site in NOT on port 80 ((?i)http(s?)://(\d{1,3}\.){3}\d{1,3}(:\|/)) OR ... just leave the last part off and any http request to an IP address will also get wacked.
	The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com

IKILLSPAM1 Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 02 May 2007 Location: United States Status: Offline Points: 70	Post Options Post Reply Quote IKILLSPAM1 Report Post Thanks(0) Quote Reply Posted: 16 August 2007 at 10:11am
	Ive also recently put in some regex to block emails with numeric hyperlinks in them. every little bit helps i guess. its blocked about 15 emails since yesterday. I wish I had the time and will power to learn regex as well. I was trying to find a good regex to deal with the pdf crap but wasnt able to. Im seeing people like to keep their regex's safe from spammer eyes. If anyone wants to share their regex's id be honored!

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 16 August 2007 at 11:29am
	All, One issue I have with the above RegEx's (which I use and get thousands of blocks) is that I also scan headers and Barracudas put a screwy header in which causes a block. Example: X-Barracuda-URL: http://198.136.134.18:8000/cgi-bin/mark.cgi I have yet to understand why the header is even added.
	The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com

IKILLSPAM1 Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 02 May 2007 Location: United States Status: Offline Points: 70	Post Options Post Reply Quote IKILLSPAM1 Report Post Thanks(0) Quote Reply Posted: 16 August 2007 at 2:43pm
	Thanks for the headsup Dan. I will keep an eye out for that.

sgeorge Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 23 August 2005 Status: Offline Points: 178	Post Options Post Reply Quote sgeorge Report Post Thanks(0) Quote Reply Posted: 17 August 2007 at 3:53pm
	Here's one I use. If what looks like an i.p.-based url is preceded by "card" anywhere in the message (including a different line), this will match. [code]((?is)card.*https?://\d\d)[code] On the plus side, this should hopefully reduce the likelihood of matching URLs within mail-headers. I realize spammers may possible drift in here to learn some of our techniques, but I think that this discussion still helps more than it hurts. Stephen p.s. Thanks Dan, for thinking about https too - I added that after the fact Edited by sgeorge - 17 August 2007 at 3:54pm

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Help with a filter