Hello, i create this rule to block phishing intent /^Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=/ DISCARD but not work any ideas? Regards, --
|
> On Mar 23, 2018, at 8:29 AM, Emanuel <[hidden email]> wrote: > > Hello, > > i create this rule to block phishing intent > > /^Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=/ DISCARD > > but not work > > any ideas? The "?" character is a meta-character in regular expressions, meaning: "zero or one of". To represent literal "?" use "\?" or "[?]" whichever you find more readable. -- Viktor. |
with quotes? i change the rule with \ and [] but not work. El 23/03/18 a las 11:24, Viktor
Dukhovni escribió:
On Mar 23, 2018, at 8:29 AM, Emanuel [hidden email] wrote: Hello, i create this rule to block phishing intent /^Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=/ DISCARD but not work any ideas?The "?" character is a meta-character in regular expressions, meaning: "zero or one of". To represent literal "?" use "\?" or "[?]" whichever you find more readable. --
|
> On Mar 23, 2018, at 12:12 PM, Emanuel <[hidden email]> wrote: > El 23/03/18 a las 11:24, Viktor Dukhovni escribió: >>> On Mar 23, 2018, at 8:29 AM, Emanuel <[hidden email]> >>> wrote: >>> >>> Hello, >>> >>> i create this rule to block phishing intent >>> >>> /^Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=/ DISCARD >>> >>> but not work >>> >>> any ideas? >>> >> The "?" character is a meta-character in regular expressions, meaning: "zero or one of". >> To represent literal "?" use "\?" or "[?]" whichever you find more readable. > > with quotes? i change the rule with \ and [] but not work. No quotes. You really should have posted the modified version. Are you sure the subject in the message is encoded exactly as you expect? How are you testing this? You might also change the space after "Subject:" to match any amount of whitespace, not just a single space. And of course you do need to check that the subject in question is actually exactly what comes in. When matching base64 data keep in mind that it is case- sensitive, and false-positives are possible (if unlikely) when doing case-insensitive matching. So you should match the base64 payload in a case-sensitive manner. Therefore: /^Subject:[ \t]*=\?UTF-8\?B\?(?-i:U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u)\?=/ DISCARD in which (?-i:sub-pattern) turns off case-insensitve matching for the sub-pattern. For example: $ postmap -q "Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=" pcre:<(printf '%s\n' '/^Subject:[ \t]*=\?UTF-8\?B\?(?-i:U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u)\?=/ DISCARD') DISCARD $ $ postmap -q "Subject: =?UTF-8?B?u3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=" pcre:<(printf '%s\n' '/^Subject:[ \t]*=\?UTF-8\?B\?(?-i:U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u)\?=/ DISCARD') $ $ postmap -q "sUbJeCt: =?utf-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=" pcre:<(printf '%s\n' '/^Subject:[ \t]*=\?UTF-8\?B\?(?-i:U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u)\?=/ DISCARD') DISCARD $ -- Viktor. |
Free forum by Nabble | Edit this page |