Thomas: THANK YOU.
I never noticed that blurb at the bottom. Very useful information, though I must digest it when I'm less exhausted. Can you have negative weights? If I put this in HeaderRE, and it matches, I'd want it to assign a negative value. Also, does headerre consider envelope entries or only headers in the body of the email? And a suggestion: The line that reads Every weighted regex that contains at least one '|' has to begin and end with a '~' - inside such regexes it is not allowed to use a '~', even it is escaped - for example: ~abc\~|def~=>23 or ~abc~|def~=>23. is talking about NOT allowing the example given right? If I'm understanding correctly, I'd change that for clarity to: Every weighted regex that contains at least one '|' has to begin and end with a '~' - inside such regexes. Every weigted regex has to be followed by '=>' and the weight value. For example: Phishing\.=>1.45|~Heuristics|Email~=>50 or ~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.~=>4.6|Spam=>1.1|~Spear|Scam~=>2.1 . Note: a '~', even it is escaped may NOT be used within the regex (~abc\~|def~=>23 or ~abc~|def~=>23 is invalid syntax). Make the good example green and leave the invalid syntax example regular, not red. Thanks for taking the time to explain. I'm sure I'm not the only one who will find this extrordinarily useful. On Thu, Nov 12, 2009 at 3:03 PM, Thomas Eckardt/eck <[email protected]> wrote: >>Weighted regex? Could you give >>an example when you have a moment? > > Read the GUI (at the end) . I think it's clear. In short - you can, in > difference to the default penalty box value, define a factor or different > absolute value per regex. > > This mail contains no line breakes (SF does it !)! > >>909715e88layf1vciao7va7yaaaaabtb0msdqdqgokayaa...@email.capitalone.com > > \r\n\.{40,}...@email\.capitalone\.com > > (at minimum 40 characters before the @) > > >>and >>The from in the header is: >>[email protected] > > \r\nfrom:(?:[^\r\n]*)?capitalo...@email\.capitalone\.com > > >>And the from ip is >>206.132.3.145 > > 206\.132\.3\.145 > > and now as weighted regex for all these lines - all 3 must be in the mail > to match > > ~(((?:\r\n\.{40,}...@email\.capitalone\.com)|(?: > \r\nfrom:(?:[^\r\n]*)?capitalo...@email\.capitalone\.com)|(? > :206\.132\.3\.145)).*?(?!\g{-1})){3}~=>100 > > or more easy 3 regexes with a weight of 25 on each - if your high > (messagescore) penalty value is 60 - the mail reaches the limit with the > 3. match > > \r\n\.{40,}...@email\.capitalone\.com=>25 > \r\nfrom:(?:[^\r\n]*)?capitalo...@email\.capitalone\.com=>25 > 206\.132\.3\.145=>25 > > I think 'headerRe' is a good place for this. > > Thomas > > > > > K Post <[email protected]> > 12.11.2009 19:16 > Bitte antworten an > ASSP development mailing list <[email protected]> > > > An > ASSP development mailing list <[email protected]> > Kopie > > Thema > Re: [Assp-test] Antwort: Re: Whitelist message based on combination of > from addressand sender IP / senderbase > > > > > > > Thanks for chiming in Thomas. > > Because this is a bulk mailer that sends out mail for lots of > companies, we can't just whitelist their IP - plus I was talking more > generally anway. > > I think the whiteRe is the way to go. Weighted regex? Could you give > an example when you have a moment? > > I want to catch (for this specific case) > > a long use part @ email.capitalone.com > 909715e88layf1vciao7va7yaaaaabtb0msdqdqgokayaa...@email.capitalone.com > and > The from in the header is: > [email protected] > And the from ip is > 206.132.3.145 > > I just don't know how to do that in a single line. > > Thanks so much. > > On Thu, Nov 12, 2009 at 12:57 PM, Thomas Eckardt/eck > <[email protected]> wrote: >> If it is possible to separate such mails by there content - for example > : >> X header, received (in chain), helo (in chain), reply addresses, >> message-id, telefon numbers, post addresses ...... >> you can setup any spambomb filter to detect spam - or stetup >> noprocessingRe or whiteRe to detect ham. >> Or, if any of the ip adresses in received header is always the same, you >> can set these ip to noprocessing/white/black . >> >> Or if it is not realy clear to detect, you can use weighted regexes to >> weight ip's and or words. >> >> Or (I think best in this case) if you think the SPF setup for a domain > is >> not correct, you can override the SPF-record for this domain using >> 'SPFoverride' . >> >> >> Thomas >> >> >> >> >> K Post <[email protected]> >> 12.11.2009 16:13 >> Bitte antworten an >> ASSP development mailing list <[email protected]> >> >> >> An >> GrayHat <[email protected]>, ASSP development mailing list >> <[email protected]> >> Kopie >> >> Thema >> Re: [Assp-test] Whitelist message based on combination of from > addressand >> sender IP / senderbase >> >> >> >> >> >> >> The message was rejected, but upon manual alaysis, I see that it was >> legit. >> >> I brought this idea up, trying to figure out a way of letting messages >> like this through. There's plenty of senders that publish -all in >> their SPF that go ahead and violate it anyway. The dns guy sets the >> SPF but the coder working to send out alerts doesn't tell the mail guy >> that they're going to use a bulk mailing house. The dns guy is never >> informed and POOF the spf concept is broken. >> >> Anyway, I'm lokoing for a way to allow these messages through and >> thought that this was a good idea. I now see your point. >> >> How about doing the same thing, but making it be no processing? This >> then wouldn't pollute the corpus if a spammer decides to send s them >> through bigfoot, but will still let the legit emails through. >> >> Any other ideas? How do we let certain senders come in from services >> like bigfoot interactive or constand contact, regardless of their spf >> setting? >> >> > ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 >> 30-Day >> trial. Simplify your report design, integration and deployment - and > focus >> on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Assp-test mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, > legally >> privileged and protected in law and are intended solely for the use of > the >> >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> >> > ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day >> trial. Simplify your report design, integration and deployment - and > focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Assp-test mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-test >> > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
