date:20220609

Re: [Assp-test] bombHeaderRe matching every email

2022-06-09 Thread Scott MacLean

Thank you Thomas,

I did not realize that it used the /s regex switch - that make sense. I 
will need to go edit all of my BombRE's.

Your suggestion did work:

(?:^|\n)from:\s*_+

However, if you add scoring to it:

(?:^|\n)from:\s*_+=>1.5

ASSP rejects it as invalid Regex.

On 6/9/2022 5:05, Thomas Eckardt wrote:

I know regex fairly well

hmm.

from\:.*\_

looks very bad - it is read like:

look for
from:
followed by anything any long (or nothing)
followed by
_

in the complete header
keep in mind: all bombRE's are using the /s regex switch (ignoring CR 
and LF)

So, if there is an *underscore* anywhere after *from:* in the mail 
header, the regex will match:

use

(?:^|\n)from:\s*_+

instead (collon and underscore don't need to be escaped here . but can be)

is read like:

look for
at the start or after each newline
from:
followed by any count of CR,LF,SPACE,TAB (or nothing)
followed by any count (but at least one) of
_

in the complete header

in your bombHeaderRe the line should be:

~(?:^|\n)from:\s*_+~=>60

the tilds are required in assp because of the used pipe (|) in the regex

Thomas

Von: "Scott MacLean" 
An: "K Post" , "ASSP Development Mailing List" 

Datum: 07.06.2022 19:22
Betreff: Re: [Assp-test] bombHeaderRe matching every email

No, I did not. I know regex fairly well, and this to me looks like a bug
or otherwise unintentional operation. I've commented out these lines in
my BombHeader for now.

On 6/7/2022 10:58, K Post wrote:

Hi Scott,
Did you ever figure this out?
I'm no regex wiz like Thomas is, but what you have appears pretty  simple
to me -- and I don't see anything wrong with it...
I tried

    from\:.*\_

in testRE and see it matching everything too.  I don't understand  why.
I know this doesn't help you with why this is happening, but figured
that it would at least help to hear that you're not the only one whose
system generates that result.

On Wed, Jun 1, 2022 at 5:32 PM Scott MacLean mailto:a...@hollsco.com >> wrote:

    I've been seeing a bunch of spam getting through my  filter recently,
    and
    they all have the same thing in common: an underscore  at the beginning
    of the "From" and/or "Subject" lines.  This should be really easy to
    pick
    up with bombHeaderRe, but something's not working.

    Here's an example of the spam I'm seeing:

    From:_Male Health
        >>

    Subject:_Size matters and we can help

    Sometimes there is a space in between the colon and  the underscore,
    usually there is not.

    Here is the regex I added to my bombHeaderRe:

    From\:.*\_=>60
    Subject\:.*\_=>60

    However, I quickly realized that this was tagging EVERY  email coming
    through the server! For instance, here's an email:

    From: Readly mailto:rea...@news.readly.com 
>>

    And looking at mail analysis, it's being caught by this  regex, even
    though there is no underscore:

    BombHeader RE: 'highest match: "(matchlength:84)  From: Readly
    [line 188]):
    'From\:.*_'

    Any idea what's going wrong and causing this?

    ___
    Assp-test mailing list
    Assp-test@lists.sourceforge.net >
https://lists.sourceforge.net/lists/listinfo/assp-test 

    >

___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test 

DISCLAIMER:
***
This email and any files transmitted with it may be confidential, 
legally privileged and protected in law and are intended solely for the 
use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!

***

___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] bombHeaderRe matching every email

2022-06-09 Thread Thomas Eckardt

>I know regex fairly well

hmm.


from\:.*\_

looks very bad - it is read like:

look for 
from:
followed by anything any long (or nothing)
followed by
_

in the complete header
keep in mind: all bombRE's are using the /s regex switch (ignoring CR and 
LF) 

So, if there is an underscore anywhere after from: in the mail header, the 
regex will match:

use

(?:^|\n)from:\s*_+

instead (collon and underscore don't need to be escaped here . but can be)

is read like:

look for 
at the start or after each newline
from:
followed by any count of CR,LF,SPACE,TAB (or nothing)
followed by any count (but at least one) of 
_ 

in the complete header

in your bombHeaderRe the line should be:

~(?:^|\n)from:\s*_+~=>60

the tilds are required in assp because of the used pipe (|) in the regex


Thomas




Von:"Scott MacLean" 
An: "K Post" , "ASSP Development Mailing List" 

Datum:  07.06.2022 19:22
Betreff:Re: [Assp-test] bombHeaderRe matching every email



No, I did not. I know regex fairly well, and this to me looks like a bug 
or otherwise unintentional operation. I've commented out these lines in 
my BombHeader for now.

On 6/7/2022 10:58, K Post wrote:
> Hi Scott,
> Did you ever figure this out?
> I'm no regex wiz like Thomas is, but what you have appears pretty simple 

> to me -- and I don't see anything wrong with it...
> I tried
> 
> from\:.*\_
> 
> in testRE and see it matching everything too.  I don't understand why. 
> I know this doesn't help you with why this is happening, but figured 
> that it would at least help to hear that you're not the only one whose 
> system generates that result.
> 
> 
> 
> On Wed, Jun 1, 2022 at 5:32 PM Scott MacLean  > wrote:
> 
> I've been seeing a bunch of spam getting through my filter recently,
> and
> they all have the same thing in common: an underscore at the 
beginning
> of the "From" and/or "Subject" lines. This should be really easy to
> pick
> up with bombHeaderRe, but something's not working.
> 
> Here's an example of the spam I'm seeing:
> 
> From:_Male Health
>  >
> Subject:_Size matters and we can help
> 
> Sometimes there is a space in between the colon and the underscore,
> usually there is not.
> 
> Here is the regex I added to my bombHeaderRe:
> 
> From\:.*\_=>60
> Subject\:.*\_=>60
> 
> However, I quickly realized that this was tagging EVERY email coming
> through the server! For instance, here's an email:
> 
> From: Readly mailto:rea...@news.readly.com
>>
> 
> And looking at mail analysis, it's being caught by this regex, even
> though there is no underscore:
> 
> BombHeader RE: 'highest match: "(matchlength:84) From: Readly
>  matching bombHeaderRe(file:files/bombheaderre.txt[line 188]):
> 'From\:.*_'
> 
> Any idea what's going wrong and causing this?
> 
> 
> 
> 
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net <
mailto:Assp-test@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/assp-test
> 
> 



___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***


___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] bombHeaderRe matching every email

Re: [Assp-test] bombHeaderRe matching every email

2 matches

Site Navigation

Mail list logo

Footer information