Ken - do you use the optimizer modules? If yes - please send me the optimized BombHeaderRe from the folder 'files/optRE' !
> When I pull up that file I see: > X-ASSP-Message/IP-Score: 20 (BombHeaderRe ' From: Elisa Evans <elisa.a.evan') I think the match is coming from : > \nfrom:.*pfizer > \nfrom:.*viagra because the '.*' is going too wide behind the 'from'. The ' From: Elisa Evans <elisa.a.evan' is only the starting part of the match. I think you should change the line(s) depending on what you want to find in the header. \nfrom:.*?(?:pfizer|viagra) --- if you want to find 'pfizer|viagra' anywhere behind the from: \nfrom:[^\r\n]+?(?:pfizer|viagra) --- if you want to find 'pfizer|viagra' anywhere in the from: line Notice that the regexes in ASSP are never case senitive. You can optimize your regex - my commends are after the '<-': > # Header will be checked against the Regular Expression. Notice of Underreported Income > \d\d\% [0O]FF on Pfizer <- this should be better in bombSubjectRe ? > dear.*?\d\d\% oFF <- this should be better in bombSubjectRe ? > \nfrom:.*?(?:pfizer|viagra) <- this should be better in bombSenderRe ? > newslett...@adobe-pdf-pro2009\.com <- depends where you want to find the address (bombSenderRe ?) > # one.ourdomain.org / two.ourdomain.org no mail from sender.com (but main ourdomain.org can get them) > \nfrom:[^\r\n]...@sender\.com.+?\nto:[^\r\n]+?\@(?:one|two)\.ourdomain\.org > \nto:[^\r\n]+?\@(?:one|two)\.ourdomain\.org.+?\nfrom:[^\r\n]...@sender\.com If you forgot the '?:' inside the grouping (which meens 'do not capture in $1 $2 .... to use less memory') , assp will do that for you in every case. Thomas Von: K Post <[email protected]> An: ASSP development mailing list <[email protected]> Datum: 21.05.2010 17:21 Betreff: Re: [Assp-test] BomgHeaderRE catch, but I don't understand why bump On Tue, May 18, 2010 at 11:56 AM, K Post <[email protected]> wrote: > Here's our very simple BombHeaderRe > > # Header will be checked against the Regular Expression. > Notice of Underreported Income > \d\d% 0FF on Pfizer > \d\d% OFF on Pfizer > dear.*\d\d% OFF > dear.*\d\d% oFF > \nfrom:.*pfizer > \nfrom:.*viagra > [email protected] > # one.ourdomain.org / two.ourdomain.org no mail from sender.com (but > main ourdomain.org can get them) > \nfrom:[^\r\n]...@sender\.com.+?\nto:[^\r\n]+?\@(one\.ourdomain\.org|two\.ourdomain\.org) > \nto:[^\r\n]+?\@(one\.ourdomain\.org|two\.ourdomain\.org).+?\nfrom:[^\r\n]...@sender\.com > > THe block report has an email to one of our users from: > From: Elisa Evans <[email protected]> > > When I pull up that file I see: > X-ASSP-Message/IP-Score: 20 (BombHeaderRe ' From: Elisa Evans <elisa.a.evan') > > What in our BombHeaderRE would have triggered this? > > Thanks > ------------------------------------------------------------------------------ _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
------------------------------------------------------------------------------
_______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
