Hi, On Tue, Jun 20, 2017 at 1:40 PM, John Hardin <jhar...@impsec.org> wrote: > On Tue, 20 Jun 2017, Alex wrote: > >> Hi, >> >> We've been receiving empty messages (or what appear to be empty body >> messages) delivered to undisclosed-recips and I wanted to figure out >> how to block them. >> >> This one wasn't blocked at the time it was received, but somehow is now. >> >> https://pastebin.com/inS6qiiG >> >> I noticed despite there being no actual URI that I can see in the >> body, it still hits __BODY_URI_ONLY. Even if I remove the div tags it >> still hits. Just what does SA consider to be a URI? >> >> meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI >> && !__SMIME_MESSAGE >> uri __HAS_ANY_URI /./ >> >> Running the message through debug doesn't show me what it considered >> to be the URI in this message. > > Add this to your test environment: > > uri __ALL_URI /.+/ > >> dbg: rules: ran uri rule __DOS_HAS_ANY_URI ======> got hit: "g"
ran uri rule __ALL_URI ======> got hit: "gmail.com" Is it from the From or Message-ID?
