Darin, as Sandy suggested, using a filter file will probably be more use to you.
Aside from any issue with nested quotation marks, your existing command isn't doing for you what you think it's doing. Right now, it's matching any of the words, not matching the phrase. Take a close reading of the parameters, e.g.: findstr /? and you'll see that findstr and find are different beasts. You will probably be better off using: REGEX14 external 0 "c:\winnt\system32\cmd.exe /c findstr /I /L /G:c:\imail\declude\seek.txt" 1 0 And creating a text file called seek.txt with lines like: If you require any of the medications below, better living through chemicals sex, drugs and rock 'n' roll You'll have results that are closer to what you expect. I used the /I parameter to ignore case, and I'm sure that you want to choose /L (or /R if you want regexp) so that you match the whole phrase, and not an "OR" on every word in the phrase. Andrew 8) -----Original Message----- From: Darin Cox [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 07, 2004 8:13 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] External RegEx tests using FINDSTR Hi Sandy, Thought I'd let you know I tried it today. Worked great on strings with no spaces, but all of the strings with spaces in them triggered on every email, whether the entire string was there or not. Haven't had time to test in detail, so I'm not sure why yet. Here's an example test config: REGEX14 external 0 "c:\winnt\system32\cmd.exe /c findstr "If you require any of the medications below,"" 1 0 Every email was failing this test, regardless of whether it had the whole string in it. On the positive side, running a half dozen other tests didn't seem to do much to processor utilization. I'll have a better idea in a couple of days from our performance monitoring. Darin. ----- Original Message ----- From: "Sanford Whiteman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 30, 2004 6:49 PM Subject: [Declude.JunkMail] External RegEx tests using FINDSTR All, Forgive me if someone has mentioned this before, but my archives don't show anything. I've been playing with FINDSTR as an external test to quickly add RegEx tests: REGEX1 external 0 "c:\winnt\system32\cmd.exe /c findstr "search.*term"" <weight> 0 It's been working out fine thus far in lab use. Note that it is used as an 'external 0' test, as it returns 0 if the FINDSTR search string _is_ found. While the RegEx engine isn't crazy-robust (it doesn't span line breaks, I believe), it certainly gives us tons above filters alone, and I'd bet that those with overlong filters would see relative benefits in maintenance and performance. It's certain that the CPU needs will be substantial, not only because of the search step itself (which should just be comparable to other non-compiled RegEx engines), but because of the shelling to the external command interpreter, as with any external test. I'd certainly recommend using the /G option to feed a list of search strings in one test iteration, with the caveat that only one weight would thus be returned for any number of failures within the list, unlike with Declude filter files. Also note that I personally use SpamAssassin for compiled RegEx support and the granular matching/weighting it offers, but the FINDSTR method would be accessible to anyone using Declude for easy-to-build checks and profiling. I eagerly anticipate feedback from the first guinea pigs. :) --Sandy P.S. I'm working on passing Declude variables to FINDSTR, which would be great. There are some issues with the fact that Declude always passes the D file as the last argument, creating parsing errors for FINDSTR. Scott, could we get a new test type like EXTERNALNOBODY that just runs the command line without adding anything at the end? ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/re lease/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
