Internet Explorer URL Display problem
Daniel Bird
dbird at SGHMS.AC.UK
Tue Dec 16 11:00:57 GMT 2003
Julian Field wrote:
> This is starting to look awfully familiar. See the SA rule
> "HTTP_ESCAPED_HOST" which uses this:
> /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
>
> Do we want to scrap the custom rule altogether and just increase the
> score of http_escaped_host?
We've been using that rule for a few days now with a MCP score of 10 ,
and I haven't seen any Fp's as yet.
Dan
>
>
> At 21:33 15/12/2003, you wrote:
>
>> I also got some false positives with the same regex. I couldn't figure
>> out why because the emails contained no %... they had attached
>> documents though, coded in base64.
>>
>> I changed the regex to: /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
>>
>> Denis
>>
>> Le lun 15/12/2003 à 13:46, Ken Anderson a écrit :
>> > Seeing a false positive from a weatherbug spam using this re.
>> > > /%([01][0-9a-f]|7f).*@/i
>> >
>> > It's coming from this mailto link:
>> >
>> >
>> mailto:community at isabel.weatherbug.com?Subject=Photo%20Submission&Body=Step%201%20-%20Safely%20take%20photos%20you%27d%20like%20to%2
>>
>> >
>> 0share%20with%20the%20community%20before%2C%20during%20or%20after%20the%20storm.%0D%0A%0D%0AStep%202%20-%20Send%20this%20email%20wit
>>
>> > h%20your%20photos%20attached%20to%3A%20community at isabel.weatherbug.com
>> >
>> > Any ideas?
>> >
>> > Thanks,
>> > Ken A.
>> > Pacific.Net
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Julian Field wrote:
>> >
>> > > At 17:29 12/12/2003, you wrote:
>> > >
>> > >> At 17:09 12/12/2003, you wrote:
>> > >>
>> > >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote:
>> > >>> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises
>> URIs.
>> > >>>
>> > >>> I only skimmed the spec. But what I gathered, unless I completely
>> > >>> misunderstood the document is that characters from %00 through %1F
>> > >>> inclusive and %7F are control characters and shouldn't be in a
>> URI.
>> > >>>
>> > >>> Although they are disallowed within the URI syntax, we
>> include here a
>> > >>> description of those US-ASCII characters that have been
>> excluded and
>> > >>> the reasons for their exclusion.
>> > >>>
>> > >>> The control characters in the US-ASCII coded character set
>> are not
>> > >>> used within a URI, both because they are non-printable and
>> because
>> > >>> they are likely to be misinterpreted by some control
>> mechanisms.
>> > >>>
>> > >>> control = <US-ASCII coded characters 00-1F and 7F
>> hexadecimal>
>> > >>>
>> > >>> So how much trouble would we cause if we just disallowed the
>> entire
>> > >>> range of control characters from URIs? Can anyone think of a real
>> > >>> website
>> > >>> that legitimately uses any of these control codes within their
>> URIs? I'm
>> > >>> particularly concerned about shopping sites with their massive
>> URIs.
>> > >>
>> > >>
>> > >> Sounds good to me.
>> > >
>> > >
>> > > The pattern for matching this is therefore
>> > >
>> > > /%([01][0-9a-f]|7f).*@/i
>> > >
>> > > so add this to spam.assassin.prefs.conf:
>> > >
>> > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i
>> > > score IE_VULN 100.0
>> > > describe IE_VULN Internet Explorer vulnerability
>> > >
>> > > and then restart MailScanner.
>> > > --
>> > > Julian Field
>> > > www.MailScanner.info
>> > > Professional Support Services at www.MailScanner.biz
>> > > MailScanner thanks transtec Computers for their support
>> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> > >
>> > >
>> --
>> Denis Beauchemin, analyste
>> Université de Sherbrooke, S.T.I.
>> T: 819.821.8000x2252 F: 819.821.8045
>
>
--
____________________________________
Daniel Bird
Network and Systems Manager
Department Of Information Services
St. George's Hospital Medical School
Tooting
London SW17 0RE
P: +44 20 8725 2897
F: +44 20 8725 3583
E: dan at sghms.ac.uk
____________________________________
Everything is possible....except skiing through a revolving door
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list