Internet Explorer URL Display problem

Julian Field mailscanner at ecs.soton.ac.uk
Tue Dec 16 08:51:37 GMT 2003


This is starting to look awfully familiar. See the SA rule 
"HTTP_ESCAPED_HOST" which uses this:
/^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/

Do we want to scrap the custom rule altogether and just increase the score 
of http_escaped_host?

At 21:33 15/12/2003, you wrote:
>I also got some false positives with the same regex.  I couldn't figure
>out why because the emails contained no %...  they had attached
>documents though, coded in base64.
>
>I changed the regex to: /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
>
>Denis
>
>Le lun 15/12/2003 à 13:46, Ken Anderson a écrit :
> > Seeing a false positive from a weatherbug spam using this re.
> >  > /%([01][0-9a-f]|7f).*@/i
> >
> > It's coming from this mailto link:
> >
> > 
> mailto:community at isabel.weatherbug.com?Subject=Photo%20Submission&Body=Step%201%20-%20Safely%20take%20photos%20you%27d%20like%20to%2
> > 
> 0share%20with%20the%20community%20before%2C%20during%20or%20after%20the%20storm.%0D%0A%0D%0AStep%202%20-%20Send%20this%20email%20wit
> > h%20your%20photos%20attached%20to%3A%20community at isabel.weatherbug.com
> >
> > Any ideas?
> >
> > Thanks,
> > Ken A.
> > Pacific.Net
> >
> >
> >
> >
> >
> >
> >
> > Julian Field wrote:
> >
> > > At 17:29 12/12/2003, you wrote:
> > >
> > >> At 17:09 12/12/2003, you wrote:
> > >>
> > >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote:
> > >>> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs.
> > >>>
> > >>> I only skimmed the spec. But what I gathered, unless I completely
> > >>> misunderstood the document is that characters from %00 through %1F
> > >>> inclusive and %7F are control characters and shouldn't be in a URI.
> > >>>
> > >>>    Although they are disallowed within the URI syntax, we include 
> here a
> > >>>    description of those US-ASCII characters that have been excluded and
> > >>>    the reasons for their exclusion.
> > >>>
> > >>>    The control characters in the US-ASCII coded character set are not
> > >>>    used within a URI, both because they are non-printable and because
> > >>>    they are likely to be misinterpreted by some control mechanisms.
> > >>>
> > >>>    control     = <US-ASCII coded characters 00-1F and 7F hexadecimal>
> > >>>
> > >>> So how much trouble would we cause if we just disallowed the entire
> > >>> range of control characters from URIs? Can anyone think of a real
> > >>> website
> > >>> that legitimately uses any of these control codes within their 
> URIs? I'm
> > >>> particularly concerned about shopping sites with their massive URIs.
> > >>
> > >>
> > >> Sounds good to me.
> > >
> > >
> > > The pattern for matching this is therefore
> > >
> > > /%([01][0-9a-f]|7f).*@/i
> > >
> > > so add this to spam.assassin.prefs.conf:
> > >
> > > uri     IE_VULN                 /%([01][0-9a-f]|7f).*@/i
> > > score   IE_VULN                 100.0
> > > describe        IE_VULN         Internet Explorer vulnerability
> > >
> > > and then restart MailScanner.
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > Professional Support Services at www.MailScanner.biz
> > > MailScanner thanks transtec Computers for their support
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >
> > >
>--
>Denis Beauchemin, analyste
>Université de Sherbrooke, S.T.I.
>T: 819.821.8000x2252 F: 819.821.8045

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654




More information about the MailScanner mailing list