Ah, nice... Apparently you sent the very same message here, too. I already deleted the thread on the users list...
On Thu, 2009-01-08 at 13:24 +0100, Harald Binkle wrote: > What about a new eval function comparing the matches of two regular > expression? > If there would be a function like > > eval:Equals(/regex1/,/regex2/) and eval:NOTEquals(/regex1/,/regex2/) > > it would be easy to define rules like: > > a rule scoring, say with 0.8 points, if there is only one recipients > address and > that one equals the senders address but they have different 'name > parts'? Like: TO: "User Name" <[email protected]> FROM: "viagra offer" > <[email protected]> Err, given that example -- what about a rule that punishes any mail sent "from" your domain with a real name referencing pills? Other options have been mentioned on the users list already, IIRC. I seriously wonder *why* these are a problem in the first place. They are quite spammy, and SA shouldn't have any problem assigning a high score out of the box. (If you want help how to better identify a particular class of spam, provide a link to samples and ask on the users list. I got a feeling the "To equals From" is just a pattern you spotted, but there are better ways and other issues.) > There are a lot of spam mails with that structure trying to get > through because many people have their own domain on the whitelist. This is NOT an excuse for implementing such a plugin. Plain whitelist_from your own domain is a gross mis-configuration. Do not use it, unless there is no other option. Use the rcvd or auth variants. > I tried to set this up as rule but with no luck. I fear it is not > possible to do this with a regular expression as it is not possible to > compare results of a regular expression in a regular expression. It *is* possible to do a generic "To equals From" rule using a single RE. A few weeks ago when this topic came up, I hacked on this locally for some exercise. Didn't polish it, but got a proof of concept. Granted, the RE is quite ugly. :) Also, it absolutely *is* possible to "compare results of a regular expression in a regular expression". It's called back references. > And the AWL does not work for mails with this structure. If the sender > address was set to the recipients address the AWL is fooled and the > mail gets a negative score. No. AWL does not work on the address alone, but adds the sending IP block (/24 IIRC) into account. A spam forged to be sent by you does not get a negative score, because the mail does not originate from the same network you are using. The Subject is wrong just the same. > Could someone implement this? Such a plugin has been posted to the users list before as a proof of concept. However, again -- IMHO you are trying to solve your issue by throwing more code at it, instead of nailing the real problem. Why are they slipping through in the first place? guenther -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
