Internet Explorer URL Display problem

Tue Dec 16 15:45:22 GMT 2003

Sure enough, these messages are triggering HTTP_ESCAPED_HOST too.

Dec 16 07:19:01 63.162.241.10 MailScanner[1740]: Message hBGFJ4OG011177 
from 218.188.47.114 (verification at paypal.com) to something.com is spam, 
SpamAssassin (score=56.47, required 4, BAYES_30 -0.90, CLICK_BELOW 0.10, 
HTML_IMAGE_ONLY_06 1.44, HTML_LINK_CLICK_HERE 0.10, HTML_MESSAGE 0.10, 
HTTP_ESCAPED_HOST 1.51, IE6_URL_VULN 50.00, MIME_HTML_ONLY 0.32, 
USERPASS 3.81)

Yesterday it was ebay, today they are pretending to be from Paypal.
Tomorrow it will be e-voting in Florida...

Thanks,
Ken A.
Pacific.Net

Daniel Bird wrote:

> Julian Field wrote:
> 
>> This is starting to look awfully familiar. See the SA rule 
>> "HTTP_ESCAPED_HOST" which uses this:
>> /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/
>>
>> Do we want to scrap the custom rule altogether and just increase the 
>> score of http_escaped_host? 
> 
> 
> 
> We've been using that rule for a few days now with a MCP score of 10 , 
> and I haven't seen any Fp's as yet.
> 
> Dan
> 
>>
>>
>> At 21:33 15/12/2003, you wrote:
>>
>>> I also got some false positives with the same regex.  I couldn't figure
>>> out why because the emails contained no %...  they had attached
>>> documents though, coded in base64.
>>>
>>> I changed the regex to: /https?:\/\/.*%([01][0-9a-f]|7f).*@/i
>>>
>>> Denis
>>>
>>> Le lun 15/12/2003 à 13:46, Ken Anderson a écrit :
>>> > Seeing a false positive from a weatherbug spam using this re.
>>> >  > /%([01][0-9a-f]|7f).*@/i
>>> >
>>> > It's coming from this mailto link:
>>> >
>>> > 
>>> mailto:community at isabel.weatherbug.com?Subject=Photo%20Submission&Body=Step%201%20-%20Safely%20take%20photos%20you%27d%20like%20to%2 
>>>
>>> > 
>>> 0share%20with%20the%20community%20before%2C%20during%20or%20after%20the%20storm.%0D%0A%0D%0AStep%202%20-%20Send%20this%20email%20wit 
>>>
>>> > h%20your%20photos%20attached%20to%3A%20community at isabel.weatherbug.com
>>> >
>>> > Any ideas?
>>> >
>>> > Thanks,
>>> > Ken A.
>>> > Pacific.Net
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > Julian Field wrote:
>>> >
>>> > > At 17:29 12/12/2003, you wrote:
>>> > >
>>> > >> At 17:09 12/12/2003, you wrote:
>>> > >>
>>> > >>> On Fri, 2003-12-12 at 03:47, Randal, Phil wrote:
>>> > >>> > RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises 
>>> URIs.
>>> > >>>
>>> > >>> I only skimmed the spec. But what I gathered, unless I completely
>>> > >>> misunderstood the document is that characters from %00 through %1F
>>> > >>> inclusive and %7F are control characters and shouldn't be in a 
>>> URI.
>>> > >>>
>>> > >>>    Although they are disallowed within the URI syntax, we 
>>> include here a
>>> > >>>    description of those US-ASCII characters that have been 
>>> excluded and
>>> > >>>    the reasons for their exclusion.
>>> > >>>
>>> > >>>    The control characters in the US-ASCII coded character set 
>>> are not
>>> > >>>    used within a URI, both because they are non-printable and 
>>> because
>>> > >>>    they are likely to be misinterpreted by some control 
>>> mechanisms.
>>> > >>>
>>> > >>>    control     = <US-ASCII coded characters 00-1F and 7F 
>>> hexadecimal>
>>> > >>>
>>> > >>> So how much trouble would we cause if we just disallowed the 
>>> entire
>>> > >>> range of control characters from URIs? Can anyone think of a real
>>> > >>> website
>>> > >>> that legitimately uses any of these control codes within their 
>>> URIs? I'm
>>> > >>> particularly concerned about shopping sites with their massive 
>>> URIs.
>>> > >>
>>> > >>
>>> > >> Sounds good to me.
>>> > >
>>> > >
>>> > > The pattern for matching this is therefore
>>> > >
>>> > > /%([01][0-9a-f]|7f).*@/i
>>> > >
>>> > > so add this to spam.assassin.prefs.conf:
>>> > >
>>> > > uri     IE_VULN                 /%([01][0-9a-f]|7f).*@/i
>>> > > score   IE_VULN                 100.0
>>> > > describe        IE_VULN         Internet Explorer vulnerability
>>> > >
>>> > > and then restart MailScanner.
>>> > > --
>>> > > Julian Field
>>> > > www.MailScanner.info
>>> > > Professional Support Services at www.MailScanner.biz
>>> > > MailScanner thanks transtec Computers for their support
>>> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>> > >
>>> > >
>>> -- 
>>> Denis Beauchemin, analyste
>>> Université de Sherbrooke, S.T.I.
>>> T: 819.821.8000x2252 F: 819.821.8045
>>
>>
>>
> 