Arabic  Chinese (simplified)  Chinese (traditional)  French  German  Italian  Japanese  Korean  Portuguese  Russian  Spanish 

BombRe and ScriptRe

From ASSPSMTP

Jump to: navigation, search

The Bomb Regular Expression list (bombRe) and the Script Regular Expression list (scriptRe) are the two primary Regular Expression blocking mechanisms in ASSP. If there is a match to either of these Regular Expressions while they are enabled for use, the message will be blocked from delivery to the recipient. Both can be very powerful mechanisms for rejecting spam, but they can also be very problematic by causing false-positive matches and mistakenly blocking email if they are not used with care.

  • Updates to Regular Expressions are indicated per section.

On This Page


Understanding the Concept

The bombRe and the scriptRe are actually a split of the same functionality, which was originally just a single bomb list. This bomb list was split so that each Regular Expression can recognize unacceptable word matches, HTML, and other embedded code separately - in order to respond with separate SMTP error codes depending on what was actually matched. This allows you to sternly reject with the bombRe, while providing a more verbose and user-friendly response to a scriptRe rejection. A user-friendly response can be appropriate because it is a common mistake for legitimate senders to accidentally embed HTML or other script code which could be dangerous to the recipient. This is typically an innocent mistake based on the email client used, as well as other factors (frequently involving Microsoft products embedding data that is obscured from the view and knowledge of the sender). It is generally in your best interest to inform these senders so that they have the opportunity to correct the issue.

bombRe Recommendations

The following recommendations have been formatted with the intent that they be used in a Regular Expression text file.

Standards Violations

These are violations of standards established for SMTP encoded communications... 

\0#                                                             ASCII-0 character (MIME violation)

Phishing, Banking and Purchase Fraud

These are commonly occuring fraud and phishing attempts, posing as banks, credit bureaus, eBay, PayPal, security departments, and credit unions...

  • <YOUR_ORG> should be relaced with an example of how your organization is commonly spoofed. 
(bank|credit|ebay|pal|security|union|<YOUR_ORG>) (antivirus|support|team)#                                                                  phishing
(bank|credit|ebay|pal|security|union).*?(account|) ?activity ((in|on|with) your (account|identity|record))#                                 phishing
(bank|credit|ebay|pal|security|union).*?(activate|authorize|confirm|verify) (the|your) (account|authenticity|identity|information|records)# phishing
(bank|credit|ebay|pal|security|union).*?(close|update) (and verify |)your (account|information)#                                            phishing
(bank|credit|ebay|pal|security|union).*?(could be|has|info(rmation|)is|may have|was|will be) (be|been|) ?(temporar(ily|ly|y)|used for|will|) ?(be|been|) ?(accessed|deactivated|deleted from|fraudulent|limit(ed|)|locked|reviewed for|security|suspen(ded|sion)|verif(ied|y)|violated)# phishing
(bank|credit|ebay|pal|security|union).*?(flagged|limit(ed|)|suspend(ed|)|unverified) (your |).*?account(?!s| executive)#                    phishing
(bank|credit|ebay|pal|security|union).*?confirm(ation|) (now|on|of) (customer(s|)|your) (data|information)#                                 phishing
(bank|credit|ebay|pal|security|union).*?result in account (deletion|erasure|removal|suspension)#                                            phishing
(africa|asia|europe|ghana|ivo(ire|ry)|kuwait|nigeria).*?(confidential|deposit)#                                                             phishing - foreign scam
(from|to): ?.?(admin|department|mail|office|post)@(fbi|cia)\.gov#                                                                           phishing - FBI/CIA spam
paypa(1|i|\|)( |\.)#                                                                                                                        phishing - PayPal spoofed name
(you\'ve|youve|you.have).(just.)received.a.(postcard|greeting|ecard)#                                                                       e-card spam
sent.you.(a|an).(postcard|greeting|ecard)#                                                                                                  e-card spam

Variant Spellings of Drugs, Stocks, and related

These have been specially crafted to catch letter variants, spacing and letter duplication... 

\bC+\s?\S?\s?\W?[I1!|lt\xEC-\xEF]+\s?\S?\s?\W?[A4\xE0-\xE6@]+\s?\S?\s?\W?[L!|1]+\s?\S?\s?\W?[I1!|lt\xEC-\xEF]+\s?\S?\s?\W?S\b#                                          CIALIS
\b[E3\xE8-\xEB]+\s?\S?\s?\W?(?:\/\|\/|N)+\s?\S?\s?\W?[L!|1]+\s?\S?\s?\W?[A4\xE0-\xE6@]+\s?\S?\s?\W?R+\s?\S?\s?\W?G+\s?\S?\s?\W?[E3\xE8-\xEB]\b#                         ENLARGE
\b[E3\xE8-\xEB]+\s?\S?\s?\W?R+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?C+\s?\S?\s?\W?T+\s?\S?\s?\W?[I1!|lt\xEC-\xEF]+\s?\S?\s?\W?[O0\xF2-\xF6]+\s?\S?\s?\W?(?:\/\|\/|N)\b# ERECTION
\bH+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?R+\s?\S?\s?\W?B+\s?\S?\s?\W?[A4\xE0-\xE6@]+\s?\S?\s?\W?[L!|1]\b#                                                              HERBAL
\bH+\s?\S?\s?\W?[O0\xF2-\xF6]+\s?\S?\s?\W?[O0\xF2-\xF6]+\s?\S?\s?\W?D+\s?\S?\s?\W?[I1!|l\xEC-\xEF+\s?\S?\s?\W?[A4\xE0-\xE6@]#                                           HOODIA
\bP+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?(?:\/\|\/|N)+\s?\S?\s?\W?[I1!|lt\xEC-\xEF]+\s?\S?\s?\W?[S$5]\b#                                                               PENIS
\bP+\s?\S?\s?\W?H+\s?\S?\s?\W?[A4\xE0-\xE6@]+\s?\S?\s?\W?R+\s?\S?\s?\W?M+\s?\S?\s?\W?[A4\xE0-\xE6@]+\s?\S?\s?\W?C#                                                      PHARMAC... Y, EUTICAL, etc...
\bR+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?F+\s?\S?\s?\W?[I1!|lt\xEC-\xEF]+\s?\S?\s?\W?[L!|1]+\s?\S?\s?\W?[L!|1]\b#                                                      REFILL
\bR+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?P+\s?\S?\s?\W?[L!|1]+\s?\S?\s?\W?[I1!|lt\xEC-\xEF]+\s?\S?\s?\W?C+\s?\S?\s?\W?[A4\xE0-\xE6@]\b#                                REPLICA
\bR+\s?\S?\s?\W?[O0\xF2-\xF6]+\s?\S?\s?\W?[L!|1]+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?X\b#                                                                             ROLEX
\b[S$5]+\s?\S?\s?\W?P+\s?\S?\s?\W?[U\xB5\xF9-\xFC]+\s?\S?\s?\W?R+\s?\S?\s?\W?M#                                                                                         SPURM
\b[U\xB5\xF9-\xFC]+\s?\S?\s?\W?(?:\/\|\/|N)+\s?\S?\s?\W?[I1!|lt\xEC-\xEF]+\s?\S?\s?\W?(?:\\\/|V)+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?R+\s?\S?\s?\W?[S$5]+\s?\S?\s?\W?[I1!|lt\xEC-\xEF]+\s?\S?\s?\W?T+\s?\S?\s?\W?Y\b.*?\bD+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?G+\s?\S?\s?\W?R+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?[E3\xE8-\xEB]\b# UNIVERSITY followed anywhere by DEGREE
\b(?:\\\/|V)+\s?\S?\s?\W?[I1!|lt\xEC-\xEF]+\s?\S?\s?\W?[A4\xE0-\xE6@]+\s?\S?\s?\W?G+\s?\S?\s?\W?R+\s?\S?\s?\W?[A4\xE0-\xE6@]\b#                                         VIAGRA
\b(?:\\\/\\\/|\/|W)+\s?\S?\s?\W?[A4\xE0-\xE6@]+\s?\S?\s?\W?T+\s?\S?\s?\W?C+\s?\S?\s?\W?H+\s?\S?\s?\W?[E3\xE8-\xEB]+\s?\S?\s?\W?[S$5]\b#                                 WATCHES
\bX+\s?\S?\s?\W?[A4\xE0-\xE6@]+\s?\S?\s?\W?(?:\/\|\/|N)+\s?\S?\s?\W?[A4\xE0-\xE6@]+\s?\S?\s?\W?X\b#                                                                     XANAX

Updated by: ME2 12:22, 26 August 2006 (MDT)

scriptRe Recommendations

The following recommendations have been formatted with the intent that they be used in a Regular Expression text file.

Standards Violations

These are violations of standards established for HTML encoded communications... 

\w<[a-z0-9]+[abcdfghjklmnpqrstuvwxyz0-9]{4}[a-z0-9]*>#          Invalid Tag (HTML violation)

HTML Elements

These are HTML elements that are commonly used to obfuscate displayed information or execute exploits... 

<APPLET#                                                        Java Applet Element
<EMBED#                                                         Embedded Object Element
<FRAME#                                                         Framed Subwindow Element
<IFRAME#                                                        Inline Subwindow Element
<OBJECT#                                                        Embedded Object Element
<SCRIPT#                                                        Script Element

HTML Tag Contents

These are HTML tag contents that are commonly used to execute exploits... 

JAVA\/\*\*\/SCRIPT:#                                            XSS-exploit Javascript Element
JAVASCRIPT:#                                                    Javascript Element

HTML Body Components

These are HTML body components that are typically indicative of spam, especially if not coming from a known (whitelisted) sender... 

<BODY[^>]*>(<[^>]+>|\n|\r)*<IMG[^>]+>(<[^>]+>|\n|\r)*</BODY>#   spam - Embedded graphic only in message body
:\/\/(.){0,72}\/([ .]+|(%20)+)\/#                               Hyperlink segment to obfuscated directory
(<BR>){10}#                                                     10 line breaks
(\/REDIR\?|\/URL\?)#                                            Phishing - URL forwarding obfuscation
FONT.SIZE[:=][" ][1-7](|px)[";]#                                spam - font size between 1 and 7

Updated by: ME2 17:20, 02 October 2006 (EDT)

Log Entry Examples

BombRe 

Oct-23-06 03:22:37 1.2.3.4  <sender@domain.tld> to: recipient@domain.tld Bomb:logging: BombRegEx: 'STRING MATCHED SHOWS HERE' 
Oct-23-06 03:22:37 1.2.3.4  <sender@domain.tld> to: recipient@domain.tld Bomb:scoring + 50 BombRegEx: 'STRING MATCHED SHOWS HERE'

TestRe 

Oct-23-06 03:22:37 1.2.3.4 <sender@domain.tld> to: recipient@domain.tld Regex:Test: TestRegEx: 'STRING MATCHED SHOWS HERE'

No Processing Re 

Oct-23-06 03:22:37 1.2.3.4 <sender@domain.tld> to: recipient@domain.tld Regex:Noprocessing 'STRING MATCHED SHOWS HERE'

Red Re 

Oct-23-06 03:22:37 1.2.3.4 <sender@domain.tld> to: recipient@domain.tld Regex:Red 'STRING MATCHED SHOWS HERE'

Disclaimer

While these should be applicable in any environment, as a precaution, always thoroughly test your configuration and requirements before you implement this feature in a live environment in case of any data loss.

Warning: Large RegEx may cause a high CPU Load, especially while checking larger mails (or attachments).

Retrieved from "http://www.asspsmtp.org/wiki/BombRe_and_ScriptRe"
These icons link to social bookmarking sites where readers can share and discover new web pages. Blinklist  del.icio.us  digg  Furl  Google  ma.gnolia  Reddit  Slashdot  Spurl  YahooMyWeb 
Personal tools