. Means Match any single character that is not a line break character. *? Means between zero and unlimited times, as few times as possible (lazy)
So the example of .*?\.com.*?\.com Would match on the first .com and the 2nd .com David -----Original Message----- From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Friday, November 04, 2011 11:30 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Regex Greed Issue The character limits do work, that is how I originally tested it, looking for a better solution I consulted our lead programming nerd, he hipped me to the ?, if it actually does work it will be a great help in other regex rules do you have an answer on whether the ? should be working? I will send the log entries and sample messages directly to support -- Rick -----Original Message----- From: David Barker [mailto:dbar...@declude.com] Sent: Friday, November 04, 2011 6:33 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Regex Greed Issue You could try restricting the number of characters for the actual domain. I would suggest something like this: http\:\/\/www.+\.com\..{4,15}\.com Also in many cases the www will not be present and the real domain will not be a .com so you would need to use something like this: http\:\/\/.+\.com\..{4,15}\.(net|com|info|biz|co|cn) There are also many TLD you want to check and I would think in most cases it would point to some URL add the extra / http\:\/\/.+\.com\..{4,15}\..{2,4}/ Run this as a test let's see if we get any false positives and we can take a look at it again to tweak. David -----Original Message----- From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Thursday, November 03, 2011 10:38 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Regex Greed Issue well based on your response I guessed you couldn't reproduce it with the example I sent, I confirmed that, and I am unable to trick that regex, however it does catch messages it shouldnt. here is the log entry for the example message 11/03/2011 15:14:07.489 008080891 Triggered body PCRE filter TEST : http://www.facebook.com/n/?permalink.php&id=3D1209018066&story_fbid=3D2337= 84096686420&mid=3D51cf32eG5af347a420ebGae7c0bG52&bcode=3Dln1Ayh0a&n_m=3Dsc= ollins%40nat.com You can now tag your friends in your status or post. Type @ and then type = the friend's name. For example: "Had lunch with @John Smith." Thanks, The Facebook Team =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This message was sent to scoll...@nat.com. If you don't want to receive = these emails from Facebook in the future, please follow the link below to = unsubscribe. http://www.facebook.com [weight -> 0] I will try to get a few more examples with the original message -- Rick -----Original Message----- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, November 03, 2011 9:00 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Regex Greed Issue Hi Rick, Are you sure your regex catches the long URL how did you test it ? David -----Original Message----- From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Thursday, November 03, 2011 6:38 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Regex Greed Issue I am trying to use the following regex to catch phishing URLs like http://www.usps.com.scam.com http\:\/\/www.*?\.com\..*?\.com The issue is the question marks do not stop the greediness of the * it will catch http://www.facebook.com/n/?permalink.php&id=1209018066&story_fbid=233784096686420&mid=f347a420ebGae7c0bG52&bcode=ln1Ayh0a&n_m=xxxxxx%40nat.com it seems that it is not supported in PCRE is there a work around? -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
