URL rule creation question

2009-09-10 Thread MySQL Student
Hi all, I've seen this pattern in spam quite a bit lately: href="http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69 .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66. 62.2e.6a.61.7a.65.72.74.2e.68.

Re: URL rule creation question

2009-09-10 Thread Matt Kettler
MySQL Student wrote: > Hi all, > > I've seen this pattern in spam quite a bit lately: > > > Would it be reasonable to create a rule that looks for this two-char > then dot pattern, or is it reasonable that it might appear in a > legitimate email too frequently? If possible, how would you create

Re: URL rule creation question

2009-09-10 Thread McDonald, Dan
On Thu, 2009-09-10 at 18:28 -0400, MySQL Student wrote: > Hi all, > > I've seen this pattern in spam quite a bit lately: > > href="http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69 > .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32

JMF whitelist and RAZOR conflict

2009-09-10 Thread MySQL Student
Hi, I have several emails that are tagged with RCVD_IN_JMF_W, SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: http://pastebin.com/m4a4d990e Is the criteria for being listed on the JMF_W simply that it contains a domain that is whitelisted, despite whether it contains another URL that is blackli

Re: JMF whitelist and RAZOR conflict

2009-09-10 Thread RW
On Thu, 10 Sep 2009 19:21:16 -0400 MySQL Student wrote: > Hi, > > I have several emails that are tagged with RCVD_IN_JMF_W, > SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: > > http://pastebin.com/m4a4d990e > > Is the criteria for being listed on the JMF_W simply that it contains > a domain

Re: JMF whitelist and RAZOR conflict

2009-09-10 Thread MySQL Student
Hi, >> http://pastebin.com/m4a4d990e >> >> Is the criteria for being listed on the JMF_W simply that it contains >> a domain that is whitelisted, despite whether it contains another URL >> that is blacklisted? > > I'm not sure what you are saying here, it's not as if the people > running the white

RE: URL rule creation question

2009-09-10 Thread McDonald, Dan
From: Matt Kettler [mailto:mkettler...@verizon.net] >This rule should detect 10 consecutive occurrences. >uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10} >Warning: I wrote this quickly without too much thought. It may have >bugs, but I'm short on time at the moment. your variant would requir

Re: JMF whitelist and RAZOR conflict

2009-09-10 Thread RW
On Thu, 10 Sep 2009 21:23:11 -0400 MySQL Student wrote: > Hi, > > >> http://pastebin.com/m4a4d990e > >> > >> Is the criteria for being listed on the JMF_W simply that it > >> contains a domain that is whitelisted, despite whether it contains > >> another URL that is blacklisted? > > > > I'm not