Using regular expressions to filter HTML Comment Tags in Symantec Mail Security 5.0 for SMTP

Article:TECH84723  |  Created: 2006-01-07  |  Updated: 2010-08-25  |  Article URL http://www.symantec.com/docs/TECH84723
Article Type
Technical Solution

Environment

Issue



Symantec Mail Security 5.0 for SMTP is not blocking spam email. When you examine the email that is passing through the filter, you notice that it contains HTML tags. One method used by spammers to propagate their spam past filters is the use of HTML comment tags inserted between the letters of words that normally trigger an action. This technique circumvents the simple word-searching capabilities of modern scanners. To combat this, use complex regular expressions when scanning email for spam.

 


Solution



Due to the complexity of regular expressions, Symantec Technical Support does not have the resources to troubleshoot compliance rules that use regular expressions. The following steps are unsupported and are provided for your convenience.

 


Before you begin:

  • Make sure that the user name with which you logged in is a member of the Symantec Mail Security for SMTP Admins security group.
  • Symantec Mail Security 5.0 for SMTP cannot open password-protected archives or archives that use encryption.
  • Archive files that use an incorrect extension do not open properly.


To filter spam that uses HTML Comment Tags, create a regular expression rule that searches mail for instances of HTML comments. You can accomplish this in one of two ways.

Block every email that contains HTML Comment Tags
The advantage to this method is the ease of implementation. However, this method could have a high false-positive rate. The following is the format for creating an expression to block every email containing an HTML Comment Tag:

"<!-- Converted from text/plain format -->"

 


Note: Testing revealed that some email client software tags valid email with HTML comments.




To create a compliance policy containing every spam word to be blocked, and paste the regular expression between each letter
The advantage of this technique is the accuracy and low number of false-positives. The disadvantage is the unwieldy implementation, as the regular expression needs to be between every letter of each word, and requires a separate condition for each word. The following two methods are examples of implementing this solution:

To configure Symantec Mail Security 5.0 for SMTP to block spam which uses HTML tags, you must:

  • Create a compliance filtering policy which filters for specific terms as specified within the policy itself.
  • Test the rule.


To create a filtering rule

  1. In the Symantec Mail Security 5.0 for SMTP user interface, on the Policies tab, click Compliance.
  2. Click Add.
  3. In the Policy name text field, type:
    Block HTML tags with regular expressions
  4. Under Apply to, select Inbound messages.
  5. Under Apply to the following policy groups, check Groups to select all groups.
  6. Under If the following conditions are met, select Body.
  7. Click matches regular expression button.
  8. In the box beside matches regular expression, type the word you seek to check for HTML Comment tags.
  9. Paste the following regular expression between each letter of the word you are checking for HTML Comment Tags:

    "(<!--[^>]*>(.*?)<[^>]*-->)*"

    For example if your compliance policy contains the word: quack 

    q(<!--[^>]*>(.*?)<[^>]*-->)*u(<!--[^>]*>(.*?)<[^>]*-->)*a(<!--[^>]*>(.*?)<[^>]*-->)*c(<!--[^>]*>(.*?)<[^>]*-->)*k


    Note: Bolding of letters for emphasis only. You do not need to bold the letters when creating your compliance policy.

     
  10. Click Add Condition.
  11. Repeat steps 6 through 10 for each additional word you seek to check for HTML Comment tags.
  12. Under Perform the following action, select Hold message in Spam Quarantine.
  13. Click Save.
    Email containing any of the words 'quack', or 'squack', are now be blocked whether they have HTML comments inserted in-between the letters or not.



To test the new rule

  1. Create a message with a subject line that contains one of the terms which violate the rule.
  2. Send this message into the test network from an external account, and monitor the results.
    If the message is placed in the Spam Quarantine, the rule works.
  3. If necessary, add or refine actions and retest by sending another message from an external account.
  4. Add the rule and match list to your production environment.



Symantec recommends that you test every new policy or modified policy to make sure that it works as you expect. A test network allows more control over the test process, and email generally travels more quickly through the system.

Detailed information regarding regular expressions can be found on page 91 of the Symantec Mail Security for SMTP Implementation Guide.



References
Other documents:



Legacy ID



2006080709430463


Article URL http://www.symantec.com/docs/TECH84723


Terms of use for this information are found in Legal Notices