>However, if you add scoring to it:
>(?:^|\n)from:\s*_+=>1.5
>ASSP rejects it as invalid Regex.
THIS IS EXPECTED!!!
copied from the bottom of my post
>> in your bombHeaderRe the line should be:
>>
>> ~(?:^|\n)from:\s*_+~=>60
>>
>> the tilds are required in assp because of the used pipe (|) in the
regex
copied from the GUI-help/manual
Fields marked with two asterisk (**) contains regular expressions (regex)
and accept a second weight value. Every weighted regex that contains at
least one '|' has to begin and end with a '~' - inside such regexes it is
not allowed to use a tilde '~', even it is escaped - for example:
~abc\~|def~=>23 or ~abc~|def~=>23 - instead use the octal (\126) or hex
(\x7E) notation , for example ~abc\126|def~=>23 or ~abc\x7E|def~=>23 .
Every weighted regex has to be followed by '=>' and the weight value. For
example: Phishing\.=>1.45|~Heuristics|Email~=>50 or
~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.~=>4.6|Spam=>1.1|~Spear|Scam~=>2.1
. The multiplication result of the weight and the penaltybox valence value
will be used for scoring, if the absolute value of weight is less or equal
6. Otherwise the value of weight is used for scoring. It is possible to
define negative values to reduce the resulting message score.
>I did not realize that it used the /s regex switch - that make sense.
in
assp/files/optRE/
all the files used for bombs and regular expressions are starting with
(?^:(?^u:(?is:
What else makes sense? For example: header-values can be broken in to new
lines at any character, even directly after the collon of the header-tag!
For this reason the /s switch is used for configurable regular expressions
(like spam bombs and others - ........Re) in assp since they can be
defined!
I had a look in to old code bases and changelogs.
The oldest assp.pl version I found is 1.1.0 from 04.08.2004 09:06 - it
uses the /s switch as well!
in the 1.1.0 changelog I found:
2003-09-26 -- Release 1.0.3
-- Fixed bug with blank spam forwards
-- reorganized menu slightly
-- added extensions to block executables feature
-- added feature to block spam bombs
-- added feature to disable greylist upload
-- increased greylist scan to look at last 3 days
Thomas
Von: "Scott MacLean" <a...@hollsco.com>
An: "ASSP Development Mailing List" <assp-test@lists.sourceforge.net>
Datum: 09.06.2022 16:54
Betreff: Re: [Assp-test] bombHeaderRe matching every email
Thank you Thomas,
I did not realize that it used the /s regex switch - that make sense. I
will need to go edit all of my BombRE's.
Your suggestion did work:
(?:^|\n)from:\s*_+
However, if you add scoring to it:
(?:^|\n)from:\s*_+=>1.5
ASSP rejects it as invalid Regex.
On 6/9/2022 5:05, Thomas Eckardt wrote:
>>I know regex fairly well
>
> hmm.....
>
>
> from\:.*\_
>
> looks very bad - it is read like:
>
> look for
> from:
> followed by anything any long (or nothing)
> followed by
> _
>
> in the complete header
> keep in mind: all bombRE's are using the /s regex switch (ignoring CR
> and LF)
>
> So, if there is an *underscore* anywhere after *from:* in the mail
> header, the regex will match:
>
> use
>
> (?:^|\n)from:\s*_+
>
> instead (collon and underscore don't need to be escaped here . but can
be)
>
> is read like:
>
> look for
> at the start or after each newline
> from:
> followed by any count of CR,LF,SPACE,TAB (or nothing)
> followed by any count (but at least one) of
> _
>
> in the complete header
>
> in your bombHeaderRe the line should be:
>
> ~(?:^|\n)from:\s*_+~=>60
>
> the tilds are required in assp because of the used pipe (|) in the regex
>
>
> Thomas
>
>
>
>
> Von: "Scott MacLean" <a...@hollsco.com>
> An: "K Post" <nntp.p...@gmail.com>, "ASSP Development Mailing List"
> <assp-test@lists.sourceforge.net>
> Datum: 07.06.2022 19:22
> Betreff: Re: [Assp-test] bombHeaderRe matching every email
> ------------------------------------------------------------------------
>
>
>
> No, I did not. I know regex fairly well, and this to me looks like a bug
> or otherwise unintentional operation. I've commented out these lines in
> my BombHeader for now.
>
> On 6/7/2022 10:58, K Post wrote:
>> Hi Scott,
>> Did you ever figure this out?
>> I'm no regex wiz like Thomas is, but what you have appears pretty
simple
>> to me -- and I don't see anything wrong with it...
>> I tried
>>
>> from\:.*\_
>>
>> in testRE and see it matching everything too. I don't understand why.
>> I know this doesn't help you with why this is happening, but figured
>> that it would at least help to hear that you're not the only one whose
>> system generates that result.
>>
>>
>>
>> On Wed, Jun 1, 2022 at 5:32 PM Scott MacLean <a...@hollsco.com
>> <mailto:a...@hollsco.com <mailto:a...@hollsco.com>>> wrote:
>>
>> I've been seeing a bunch of spam getting through my filter
recently,
>> and
>> they all have the same thing in common: an underscore at the
beginning
>> of the "From" and/or "Subject" lines. This should be really easy
to
>> pick
>> up with bombHeaderRe, but something's not working.
>>
>> Here's an example of the spam I'm seeing:
>>
>> From:_Male Health
>> <support-team_0rk47mtncmz9bfpalcklzzn...@offer.market.ca
>> <mailto:support-team_0rk47mtncmz9bfpalcklzzn...@offer.market.ca
> <mailto:support-team_0rk47mtncmz9bfpalcklzzn...@offer.market.ca>>>
>> Subject:_Size matters and we can help
>>
>> Sometimes there is a space in between the colon and the
underscore,
>> usually there is not.
>>
>> Here is the regex I added to my bombHeaderRe:
>>
>> From\:.*\_=>60
>> Subject\:.*\_=>60
>>
>> However, I quickly realized that this was tagging EVERY email
coming
>> through the server! For instance, here's an email:
>>
>> From: Readly <rea...@news.readly.com <mailto:rea...@news.readly.com
<mailto:rea...@news.readly.com>>>
>>
>> And looking at mail analysis, it's being caught by this regex,
even
>> though there is no underscore:
>>
>> BombHeader RE: 'highest match: "(matchlength:84) From: Readly
>> <readly@news.readly" with valence: 60 - PB value = 60'
>> matching bombHeaderRe(file:files/bombheaderre.txt <
file://files/bombheaderre.txt>[line 188]):
>> 'From\:.*_'
>>
>> Any idea what's going wrong and causing this?
>>
>>
>>
>>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net <
mailto:Assp-test@lists.sourceforge.net
> <mailto:Assp-test@lists.sourceforge.net>>
>> https://lists.sourceforge.net/lists/listinfo/assp-test
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> <https://lists.sourceforge.net/lists/listinfo/assp-test
> <https://lists.sourceforge.net/lists/listinfo/assp-test>>
>>
>
>
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
> legally privileged and protected in law and are intended solely for the
> use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
