>However, if you add scoring to it: >(?:^|\n)from:\s*_+=>1.5
>ASSP rejects it as invalid Regex. THIS IS EXPECTED!!! copied from the bottom of my post >> in your bombHeaderRe the line should be: >> >> ~(?:^|\n)from:\s*_+~=>60 >> >> the tilds are required in assp because of the used pipe (|) in the regex copied from the GUI-help/manual Fields marked with two asterisk (**) contains regular expressions (regex) and accept a second weight value. Every weighted regex that contains at least one '|' has to begin and end with a '~' - inside such regexes it is not allowed to use a tilde '~', even it is escaped - for example: ~abc\~|def~=>23 or ~abc~|def~=>23 - instead use the octal (\126) or hex (\x7E) notation , for example ~abc\126|def~=>23 or ~abc\x7E|def~=>23 . Every weighted regex has to be followed by '=>' and the weight value. For example: Phishing\.=>1.45|~Heuristics|Email~=>50 or ~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.~=>4.6|Spam=>1.1|~Spear|Scam~=>2.1 . The multiplication result of the weight and the penaltybox valence value will be used for scoring, if the absolute value of weight is less or equal 6. Otherwise the value of weight is used for scoring. It is possible to define negative values to reduce the resulting message score. >I did not realize that it used the /s regex switch - that make sense. in assp/files/optRE/ all the files used for bombs and regular expressions are starting with (?^:(?^u:(?is: What else makes sense? For example: header-values can be broken in to new lines at any character, even directly after the collon of the header-tag! For this reason the /s switch is used for configurable regular expressions (like spam bombs and others - ........Re) in assp since they can be defined! I had a look in to old code bases and changelogs. The oldest assp.pl version I found is 1.1.0 from 04.08.2004 09:06 - it uses the /s switch as well! in the 1.1.0 changelog I found: 2003-09-26 -- Release 1.0.3 -- Fixed bug with blank spam forwards -- reorganized menu slightly -- added extensions to block executables feature -- added feature to block spam bombs -- added feature to disable greylist upload -- increased greylist scan to look at last 3 days Thomas Von: "Scott MacLean" <a...@hollsco.com> An: "ASSP Development Mailing List" <assp-test@lists.sourceforge.net> Datum: 09.06.2022 16:54 Betreff: Re: [Assp-test] bombHeaderRe matching every email Thank you Thomas, I did not realize that it used the /s regex switch - that make sense. I will need to go edit all of my BombRE's. Your suggestion did work: (?:^|\n)from:\s*_+ However, if you add scoring to it: (?:^|\n)from:\s*_+=>1.5 ASSP rejects it as invalid Regex. On 6/9/2022 5:05, Thomas Eckardt wrote: >>I know regex fairly well > > hmm..... > > > from\:.*\_ > > looks very bad - it is read like: > > look for > from: > followed by anything any long (or nothing) > followed by > _ > > in the complete header > keep in mind: all bombRE's are using the /s regex switch (ignoring CR > and LF) > > So, if there is an *underscore* anywhere after *from:* in the mail > header, the regex will match: > > use > > (?:^|\n)from:\s*_+ > > instead (collon and underscore don't need to be escaped here . but can be) > > is read like: > > look for > at the start or after each newline > from: > followed by any count of CR,LF,SPACE,TAB (or nothing) > followed by any count (but at least one) of > _ > > in the complete header > > in your bombHeaderRe the line should be: > > ~(?:^|\n)from:\s*_+~=>60 > > the tilds are required in assp because of the used pipe (|) in the regex > > > Thomas > > > > > Von: "Scott MacLean" <a...@hollsco.com> > An: "K Post" <nntp.p...@gmail.com>, "ASSP Development Mailing List" > <assp-test@lists.sourceforge.net> > Datum: 07.06.2022 19:22 > Betreff: Re: [Assp-test] bombHeaderRe matching every email > ------------------------------------------------------------------------ > > > > No, I did not. I know regex fairly well, and this to me looks like a bug > or otherwise unintentional operation. I've commented out these lines in > my BombHeader for now. > > On 6/7/2022 10:58, K Post wrote: >> Hi Scott, >> Did you ever figure this out? >> I'm no regex wiz like Thomas is, but what you have appears pretty simple >> to me -- and I don't see anything wrong with it... >> I tried >> >> from\:.*\_ >> >> in testRE and see it matching everything too. I don't understand why. >> I know this doesn't help you with why this is happening, but figured >> that it would at least help to hear that you're not the only one whose >> system generates that result. >> >> >> >> On Wed, Jun 1, 2022 at 5:32 PM Scott MacLean <a...@hollsco.com >> <mailto:a...@hollsco.com <mailto:a...@hollsco.com>>> wrote: >> >> I've been seeing a bunch of spam getting through my filter recently, >> and >> they all have the same thing in common: an underscore at the beginning >> of the "From" and/or "Subject" lines. This should be really easy to >> pick >> up with bombHeaderRe, but something's not working. >> >> Here's an example of the spam I'm seeing: >> >> From:_Male Health >> <support-team_0rk47mtncmz9bfpalcklzzn...@offer.market.ca >> <mailto:support-team_0rk47mtncmz9bfpalcklzzn...@offer.market.ca > <mailto:support-team_0rk47mtncmz9bfpalcklzzn...@offer.market.ca>>> >> Subject:_Size matters and we can help >> >> Sometimes there is a space in between the colon and the underscore, >> usually there is not. >> >> Here is the regex I added to my bombHeaderRe: >> >> From\:.*\_=>60 >> Subject\:.*\_=>60 >> >> However, I quickly realized that this was tagging EVERY email coming >> through the server! For instance, here's an email: >> >> From: Readly <rea...@news.readly.com <mailto:rea...@news.readly.com <mailto:rea...@news.readly.com>>> >> >> And looking at mail analysis, it's being caught by this regex, even >> though there is no underscore: >> >> BombHeader RE: 'highest match: "(matchlength:84) From: Readly >> <readly@news.readly" with valence: 60 - PB value = 60' >> matching bombHeaderRe(file:files/bombheaderre.txt < file://files/bombheaderre.txt>[line 188]): >> 'From\:.*_' >> >> Any idea what's going wrong and causing this? >> >> >> >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net < mailto:Assp-test@lists.sourceforge.net > <mailto:Assp-test@lists.sourceforge.net>> >> https://lists.sourceforge.net/lists/listinfo/assp-test > <https://lists.sourceforge.net/lists/listinfo/assp-test> >> <https://lists.sourceforge.net/lists/listinfo/assp-test > <https://lists.sourceforge.net/lists/listinfo/assp-test>> >> > > > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > <https://lists.sourceforge.net/lists/listinfo/assp-test> > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, > legally privileged and protected in law and are intended solely for the > use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test