header_checks UTF8 discard

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

header_checks UTF8 discard

Emanuel

Hello,

i create this rule to block phishing intent

/^Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=/                DISCARD

but not work

any ideas?

Regards,

--
envialosimple.com
Emanuel Gonzalez
IT / Departamento Emails
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: header_checks UTF8 discard

Viktor Dukhovni


> On Mar 23, 2018, at 8:29 AM, Emanuel <[hidden email]> wrote:
>
> Hello,
>
> i create this rule to block phishing intent
>
> /^Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=/                DISCARD
>
> but not work
>
> any ideas?

The "?" character is a meta-character in regular expressions, meaning: "zero or one of".
To  represent literal "?" use "\?" or "[?]" whichever you find more readable.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: header_checks UTF8 discard

Emanuel

with quotes? i change the rule with \ and [] but not work.


El 23/03/18 a las 11:24, Viktor Dukhovni escribió:

On Mar 23, 2018, at 8:29 AM, Emanuel [hidden email] wrote:

Hello,

i create this rule to block phishing intent

/^Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=/                DISCARD

but not work

any ideas?
The "?" character is a meta-character in regular expressions, meaning: "zero or one of".
To  represent literal "?" use "\?" or "[?]" whichever you find more readable.


--
envialosimple.com
Emanuel Gonzalez
IT / Departamento Emails
[hidden email]
www.envialosimple.com
by donweb
 
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.
 
Reply | Threaded
Open this post in threaded view
|

Re: header_checks UTF8 discard

Viktor Dukhovni


> On Mar 23, 2018, at 12:12 PM, Emanuel <[hidden email]> wrote:
> El 23/03/18 a las 11:24, Viktor Dukhovni escribió:
>>> On Mar 23, 2018, at 8:29 AM, Emanuel <[hidden email]>
>>>  wrote:
>>>
>>> Hello,
>>>
>>> i create this rule to block phishing intent
>>>
>>> /^Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=/                DISCARD
>>>
>>> but not work
>>>
>>> any ideas?
>>>
>> The "?" character is a meta-character in regular expressions, meaning: "zero or one of".
>> To  represent literal "?" use "\?" or "[?]" whichever you find more readable.
>
> with quotes? i change the rule with \ and [] but not work.

No quotes.  You really should have posted the modified version.

Are you sure the subject in the message is encoded exactly as
you expect?  How are you testing this?

You might also change the space after "Subject:" to match
any amount of whitespace, not just a single space.  And of
course you do need to check that the subject in question
is actually exactly what comes in.

When matching base64 data keep in mind that it is case-
sensitive, and false-positives are possible (if unlikely)
when doing case-insensitive matching.  So you should match
the base64 payload in a case-sensitive manner.  Therefore:

  /^Subject:[ \t]*=\?UTF-8\?B\?(?-i:U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u)\?=/ DISCARD

in which (?-i:sub-pattern) turns off case-insensitve matching for
the sub-pattern.

For example:

  $ postmap -q "Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=" pcre:<(printf '%s\n' '/^Subject:[ \t]*=\?UTF-8\?B\?(?-i:U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u)\?=/ DISCARD')
  DISCARD
  $

  $ postmap -q "Subject: =?UTF-8?B?u3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=" pcre:<(printf '%s\n' '/^Subject:[ \t]*=\?UTF-8\?B\?(?-i:U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u)\?=/ DISCARD')
  $

  $ postmap -q "sUbJeCt: =?utf-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=" pcre:<(printf '%s\n' '/^Subject:[ \t]*=\?UTF-8\?B\?(?-i:U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u)\?=/ DISCARD')
  DISCARD
  $

--
        Viktor.