Courier Email ClientSupport forum for the Courier Email Client.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
It is supposed to catch mail that downloads an image from another server. (An old SPAMmers trick)
However it did not catch a mail with this in the HTML:
<img src=http://waf.ck.chuasash.com/2/>
What am I doing wrong here?
This is the entire rule:
Filter Rule 5:
Created: 14-3-2004 10:58
Last Hit:
Hits: 0
Mode: Incoming
Case: Off
Pattern 1: .+IMG.*SRC=.?.?.?HTTP|\.ASP\?|PHP\?
Objects: Message body
RegExp: On
Action: Move to folder: 'JunkYard'
Mark as read
Assign color marker: 'SPAM'
Delete attachment(s)
Strip HTML
Didn't find the information you thought to find? Check out these Similar Threads
Well... SPAMmers put stuff between legitimate HTML code,
So it could look like this: img <lotsofspammerstuff> scr
And it would not be detected by a filter for just "img scr="
I just conducted an experiment, inserting a comment like so:
img<!--my_comment_here-->src=
and IE wouldn't display the picture. Also tried it with spaces:
img <!--my_comment_here--> src=
and still no picture. Take out the comment and the picture is there. So if you are a spammer and you want your picture to be displayed, you can't bust up the img src= tag with a comment like that. Still and all, you could filter for just "src=" using no regular expression.
However it did not catch a mail with this in the HTML:
<img src=http://waf.ck.chuasash.com/2/>
What is .?.?.? meant to catch - some whitespace perhaps? How about " *" (space, asterisk) - zero or more spaces?
I read the whole expression as:
One or more characters, "IMG", zero or more characters, "SRC=", zero to three more characters, and "HTTP"
or
".ASP?"
or
"PHP?" (may or may not have a leading '.')
Why the match on any ".ASP?" or "PHP?" (any line containing either of those strings)? Not saying it's wrong; I'm just not sure what the second two expressions were meant to accomplish and wondering if says what you intended.
