RE: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Nah... (and admittedly I didn't know this before! - I am not a regex guru) ^ contained inside [] denotes the inverse of the character set... the * after it says many... so a set containing any character that is NOT ) - basically skip every character until ) ( which is what the \) that follows the * is for... Gordon says (and I've heard this before) that .* in a regex makes it slower - so this more explicit repeat until pattern is more efficient. m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mirko Zeibig Sent: Thursday, January 08, 2004 12:17 AM To: [EMAIL PROTECTED] Cc: Mitch (WebCob) Subject: Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message? I guess you have to escape the parenthese in the square brackets as well: \(AUTH: [^\)]*\) Regards Mirko --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Thanks Mirko - I don't want to embarass my sorry regular expression handicapped self, but I'm still confused: Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Thu, 08 Jan 2004 00:04:43 + AND if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by/) ) - /Received: .*\(AUTH: [^)]*\) *by/ So the first .* catches all characters up to the escaped (AUTH: What's the [^)]* do in this case? I thought ^ was the start of a line? I tried rewriting it as: if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: .*\) *by/) ) AND if ( $i == 1 ( ! $MATCH =~ /Received: .*/) ) But that doesn't seem to match anything - is the Received line converted back to a single line prior to this processing? I would think so, maybe the problem is the if syntax and not the pattern? Any further ideas appreciated. Thanks. m/ -Original Message- From: Mirko Zeibig [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 12:17 AM To: [EMAIL PROTECTED] Cc: Mitch (WebCob) Subject: Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message? Mitch (WebCob) said the following on 01/08/2004 01:37 AM: Ok - thanks - that works better for a number of reasons - (I'll post the running verison once I play with it) - by making sure I am testing the first header, I don't need to care about example.com (which is good, cause then I can put the rule in my maildroprc where I call spamassassin from. When I use your original example I get Syntax error after =. # if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) I guess you have to escape the parenthese in the square brackets as well: \(AUTH: [^\)]*\) Regards Mirko --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) wrote: Received: from a1200 ([24.83.X.X]) (AUTH: LOGIN [EMAIL PROTECTED]) by bigass1.XXX.com with esmtp; Thu, 08 Jan 2004 00:04:43 + ... if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by/) ) ... So the first .* catches all characters up to the escaped (AUTH: Yes. What's the [^)]* do in this case? I thought ^ was the start of a line? When ^ appears as the first character inside [], it means characters not in that set. '[^)]' means characters which are not a ')'. I tried rewriting it as: if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: .*\) *by/) ) That'll usually accomplish the same, but it'll take longer. It's key to writing fast regexs that you avoid .* as often as you can. But that doesn't seem to match anything - is the Received line converted back to a single line prior to this processing? Should be. The pattern works for me, though the rest of my conditional is different. I would think so, maybe the problem is the if syntax and not the pattern? It's probalby related to the !. You may need an additional set of parens around the $MATCH =! //. Either that, or MATCH doesn't have the whole line, and what you really need is foreach /Received: .*/. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) said the following on 01/08/2004 01:37 AM: Ok - thanks - that works better for a number of reasons - (I'll post the running verison once I play with it) - by making sure I am testing the first header, I don't need to care about example.com (which is good, cause then I can put the rule in my maildroprc where I call spamassassin from. When I use your original example I get Syntax error after =. # if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) I guess you have to escape the parenthese in the square brackets as well: \(AUTH: [^\)]*\) Regards Mirko --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Good idea, but is it really that simple? I would only want to do this for
the top Received header - if I test all headers a spoofed auth header can
bypass spamassassin. Is there a way to make the pattern match only the first
Received and then check it for AUTH?
I realize by adding the example.com test we are narrowing it down to at
least a targetted spoof - but why not shoot for perfection eh?
Thanks Gord!
m/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Gordon
Messmer
Sent: Tuesday, January 06, 2004 6:06 PM
To: [EMAIL PROTECTED]
Subject: Re: [courier-users] Seeming issue between SA courier... WAS
RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself
a test message?
Mitch (WebCob) wrote:
My first concern is that apparently due to the differences in courier's vs
sendmails Received header formats, the first courier header is not always
detected. Secondly, if I am sending to another user in my own system via
authenticated SMTP, the rule still triggers - even though my
authentication
on the server should allow me some sort of whitelist like status (my
humble opinion).
Configure maildrop not to pass messages that were AUTH'd to spamassassin:
if( ! ( /Received: .*\(AUTH: [^)]*\) *by [:alnum:]*.example.com/ ) )
{
xfilter /usr/bin/spamc
}
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) wrote:
Good idea, but is it really that simple?
Yeah, why not?
I would only want to do this for
the top Received header - if I test all headers a spoofed auth header can
bypass spamassassin.
If you're really that paranoid about it, you can probably flesh this out:
i=1
foreach /Received: /
{
if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by \
[:alnum:]*.example.com/) )
{
xfilter /usr/bin/spamc
}
i=$i + 1
}
There's probalby something wrong with that. I didn't test it.
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Ok - thanks - that works better for a number of reasons - (I'll post the
running verison once I play with it) - by making sure I am testing the first
header, I don't need to care about example.com (which is good, cause then I
can put the rule in my maildroprc where I call spamassassin from.
When I use your original example I get Syntax error after =.
# if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\)
*by \
# [:alnum:]*.SOMEDOMAIN.com/) )
I'm NO maildrop guru - I started with what you sent, trying to get rid of
the domain check - The part that seems to give me trouble is:
( ! $MATCH =~ /Received: .*\(CRAP\) *by/)
Keeping in mind that the original header looks like this (below) could the
multiline format of the header cause the match to fail or is it something
else?:
Received: from a1200 ([24.83.X.X])
(AUTH: LOGIN [EMAIL PROTECTED])
by bigass1.XXX.com with esmtp; Thu, 08 Jan 2004 00:04:43 +
The whole snippit for context:
if ( $SIZE 512000 )
{
i=1
foreach /Received: /
{
# if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\)
*by/) )
# if ( $i == 1 ( ! $MATCH =~ /Received: .*\(CRAP\) *by/) )
#THIS WORKS:
if ( $i == 1 )
{
xfilter /usr/bin/spamc -U
/var/run/spamassassin.sock -u $UI_Email
}
i=$i+1
}
}
Thanks!
m/
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Gordon
Messmer
Sent: Wednesday, January 07, 2004 10:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [courier-users] Seeming issue between SA courier... WAS
RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself
a test message?
Mitch (WebCob) wrote:
Good idea, but is it really that simple?
Yeah, why not?
I would only want to do this for
the top Received header - if I test all headers a spoofed auth header can
bypass spamassassin.
If you're really that paranoid about it, you can probably flesh this out:
i=1
foreach /Received: /
{
if ( $i == 1 ( ! $MATCH =~ /Received: .*\(AUTH: [^)]*\) *by \
[:alnum:]*.example.com/) )
{
xfilter /usr/bin/spamc
}
i=$i + 1
}
There's probalby something wrong with that. I didn't test it.
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?
Mitch (WebCob) wrote:
My first concern is that apparently due to the differences in courier's vs
sendmails Received header formats, the first courier header is not always
detected. Secondly, if I am sending to another user in my own system via
authenticated SMTP, the rule still triggers - even though my authentication
on the server should allow me some sort of whitelist like status (my
humble opinion).
Configure maildrop not to pass messages that were AUTH'd to spamassassin:
if( ! ( /Received: .*\(AUTH: [^)]*\) *by [:alnum:]*.example.com/ ) )
{
xfilter /usr/bin/spamc
}
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
