On Tue, 20 Jun 2017, Alex wrote:
Hi,
We've been receiving empty messages (or what appear to be empty body
messages) delivered to undisclosed-recips and I wanted to figure out
how to block them.
This one wasn't blocked at the time it was received, but somehow is now.
https://pastebin.com/inS6qiiG
I noticed despite there being no actual URI that I can see in the
body, it still hits __BODY_URI_ONLY. Even if I remove the div tags it
still hits. Just what does SA consider to be a URI?
meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI
&& !__SMIME_MESSAGE
uri __HAS_ANY_URI /./
Running the message through debug doesn't show me what it considered
to be the URI in this message.
Add this to your test environment:
uri __ALL_URI /.+/
dbg: rules: ran uri rule __DOS_HAS_ANY_URI ======> got hit: "g"
I don't get that. I also get no URI hits at all on that message.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Your mouse has moved. Your Windows Operating System must be
relicensed due to this hardware change. Please contact Microsoft
to obtain a new activation key. If this hardware change results in
added functionality you may be subject to additional license fees.
Your system will now shut down. Thank you for choosing Microsoft.
-----------------------------------------------------------------------
82 days since the first commercial re-flight of an orbital booster (SpaceX)
