Internet Explorer URL Display problem

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Mon Dec 15 21:33:50 GMT 2003 

I also got some false positives with the same regex.  I couldn't figure
out why because the emails contained no %...  they had attached
documents though, coded in base64.

I changed the regex to: /https?:\/\/.*%([01][0-9a-f]|7f).*@/i

Denis

Le lun 15/12/2003 à 13:46, Ken Anderson a écrit :
> Seeing a false positive from a weatherbug spam using this re.
>  > /%([01][0-9a-f]|7f).*@/i
> 
> It's coming from this mailto link:
> 
> mailto:community at isabel.weatherbug.com?Subject=Photo%20Submission&Body=Step%201%20-%20Safely%20take%20photos%20you%27d%20like%20to%2
> 0share%20with%20the%20community%20before%2C%20during%20or%20after%20the%20storm.%0D%0A%0D%0AStep%202%20-%20Send%20this%20email%20wit
> h%20your%20photos%20attached%20to%3A%20community at isabel.weatherbug.com
> 
> Any ideas?
> 
> Thanks,
> Ken A.
> Pacific.Net
> 
> 
> 
> 
> 
> 
> 
> Julian Field wrote:
> 
> > At 17:29 12/12/2003, you wrote:
> >
> >> At 17:09 12/12/2003, you wrote:
> >>
> >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote:
> >>> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs.
> >>>
> >>> I only skimmed the spec. But what I gathered, unless I completely
> >>> misunderstood the document is that characters from %00 through %1F
> >>> inclusive and %7F are control characters and shouldn't be in a URI.
> >>>
> >>>    Although they are disallowed within the URI syntax, we include here a
> >>>    description of those US-ASCII characters that have been excluded and
> >>>    the reasons for their exclusion.
> >>>
> >>>    The control characters in the US-ASCII coded character set are not
> >>>    used within a URI, both because they are non-printable and because
> >>>    they are likely to be misinterpreted by some control mechanisms.
> >>>
> >>>    control     = <US-ASCII coded characters 00-1F and 7F hexadecimal>
> >>>
> >>> So how much trouble would we cause if we just disallowed the entire
> >>> range of control characters from URIs? Can anyone think of a real
> >>> website
> >>> that legitimately uses any of these control codes within their URIs? I'm
> >>> particularly concerned about shopping sites with their massive URIs.
> >>
> >>
> >> Sounds good to me.
> >
> >
> > The pattern for matching this is therefore
> >
> > /%([01][0-9a-f]|7f).*@/i
> >
> > so add this to spam.assassin.prefs.conf:
> >
> > uri     IE_VULN                 /%([01][0-9a-f]|7f).*@/i
> > score   IE_VULN                 100.0
> > describe        IE_VULN         Internet Explorer vulnerability
> >
> > and then restart MailScanner.
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> >
-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045

More information about the MailScanner mailing list