Re: Ends with string
If I recall correctly (and it's been a while), I was seeing false positives where t.co was matching t.com (or something like that) so I was only paying attention to the need to not allow an alpha-num. Short-sighted, I know (and I might have forgotten that \b isn't a character match). The regex I use to anchor tlds these days (and please tell me if this doesn't work the way I intend) looks like: uri NEWTLD_URI /\.(accountant|beer|bid|..|win|work|xyz)\b[^\.-]/i I have slightly different regexes to match email addresses or server names in headers, but they all basically express the rule "I need to see a word boundary here, but certain non-word characters don't count because it implies the domain name may continue in the given context" On Fri, 8 Sep 2017, RW wrote: On Fri, 8 Sep 2017 13:03:57 -0400 Kevin A. McGrail wrote: On 9/8/2017 12:24 PM, Robert Boyl wrote: Hello, everyone! Is there a way to create a Spamassassin rule that checks for a certain URL suffix such as .ru but makes sure it has to be at the end of the URI? Ends with string. Thanks! Rob Yes, it's called an anchor and Shane Williams a long time ago gave me some advice on that I used in this rule: uri __KAM_SHORT /(\/|^|\b)(?:j\.mp|bit\.ly|goo\.gl|x\.co|t\.co|t\.cn|tinyurl\.com|hop\.kz|urla\.ru|fw\.to)(\/|$|\b)/i That doesn't look right, at least not in the context of the OP's question. In (\/|$|\b) the \b seems superfluous as it will match a boundary between a letter and a '.' so the rule will for example match goo.gl.example.com -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Ends with string
On Fri, 8 Sep 2017 13:03:57 -0400 Kevin A. McGrail wrote: > On 9/8/2017 12:24 PM, Robert Boyl wrote: > > Hello, everyone! > > > > Is there a way to create a Spamassassin rule that checks for a > > certain URL suffix such as .ru but makes sure it has to be at the > > end of the URI? Ends with string. > > > > Thanks! > > Rob > > Yes, it's called an anchor and Shane Williams a long time ago gave me > some advice on that I used in this rule: > > uri __KAM_SHORT > /(\/|^|\b)(?:j\.mp|bit\.ly|goo\.gl|x\.co|t\.co|t\.cn|tinyurl\.com|hop\.kz|urla\.ru|fw\.to)(\/|$|\b)/i That doesn't look right, at least not in the context of the OP's question. In (\/|$|\b) the \b seems superfluous as it will match a boundary between a letter and a '.' so the rule will for example match goo.gl.example.com
Re: Ends with string
Kevin A. McGrail skrev den 2017-09-08 19:03:
Yes, it's called an anchor and Shane Williams a long time ago gave me
some advice on that I used in this rule:
uri __KAM_SHORT
/(\/|^|\b)(?:j\.mp|bit\.ly|goo\.gl|x\.co|t\.co|t\.cn|tinyurl\.com|hop\.kz|urla\.ru|fw\.to)(\/|$|\b)/i
why make it complicated ?
enlist_url_host (MYTLD) ru
enlist_url_host (MYTLD) dk
and i have forgot my own rules to this list :=)
googled:
https://lists.gt.net/spamassassin/devel/154398
Example 1:
enlist_uri_host (LOW) geocities.com
enlist_uri_host (MED) geocities.yahoo.com.br
enlist_uri_host (LOW) AutoFinanceUK.co.uk
enlist_uri_host (HIGH) blasdutro buckrea.com
enlist_uri_host (MED) True.com
enlist_uri_host (LOW) imageshack.us
and the corresponding rules:
header URI_HOST_LOW eval:check_uri_host_listed('LOW')
describe URI_HOST_LOW Host or domain found in URI is listed in the LOW
list
tflags URI_HOST_LOW userconf noautolearn
score URI_HOST_LOW 1.5
header URI_HOST_MED eval:check_uri_host_listed('MED')
describe URI_HOST_MED Host or domain found in URI is listed in the MED
list
tflags URI_HOST_MED userconf noautolearn
score URI_HOST_MED 4
header URI_HOST_HIGH eval:check_uri_host_listed('HIGH')
describe URI_HOST_HIGH Host or domain found in URI is listed in the HIGH
list
tflags URI_HOST_HIGH userconf noautolearn
score URI_HOST_HIGH 12
Example 2:
blacklist_uri_host www.need-lust.com www.crave-lust
blacklist_uri_host sommerphantasie.com klick2go.com lucymeier.com
blacklist_uri_host www.replaceftpsmtp.com www.aectransfer.org
blacklist_uri_host epsore.com www.alveal.com
blacklist_uri_host reppsetinte.com preprotissit.com
blacklist_uri_host www.weinportale.de www.fasctvideos.cn
blacklist_uri_host www.dilcasino.com www.hotgoldgambling.net
blacklist_uri_host www.antos.si www.omegaic.net www.clickonevent.com
blacklist_uri_host www.exorcism.org www.eturning.com
www.piramidasunca.ba
blacklist_uri_host 64.15.147.100
blacklist_uri_host bot.tormaxusa.net www.qtechna.si www.clecle.si
blacklist_uri_host www.ninadesign.co.nr constructionfiles.net
aecfiles02.com
blacklist_uri_host filetransfer00.com filetransfer01.com
filetransfer02.com
blacklist_uri_host filetransfer03.com filetransfer04.com
filetransfer05.com
blacklist_uri_host filetransfer06.com filetransfer07.com
filetransfer08.com
blacklist_uri_host filetransfer09.com
header URI_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLACK')
describe URI_HOST_IN_BLACKLIST Host or domain found in URI is
blacklisted
tflags URI_HOST_IN_BLACKLIST userconf noautolearn
score URI_HOST_IN_BLACKLIST 8
header URI_HOST_IN_WHITELIST eval:check_uri_host_listed('WHITE')
describe URI_HOST_IN_WHITELIST Host or domain found in URI is
blacklisted
tflags URI_HOST_IN_WHITELIST userconf nice noautolearn
score URI_HOST_IN_WHITELIST -10
Example 3:
enlist_uri_host (RCKT) ru !aaa.example.kr cn kr tr
header URI_HOST_RCKT eval:check_uri_host_listed('RCKT')
score URI_HOST_RCKT 0.1
enlist_uri_host (RU) ru
header URI_HOST_RU eval:check_uri_host_listed('RU')
score URI_HOST_RU 1.8
enlist_uri_host (CN) cn
header URI_HOST_CN eval:check_uri_host_listed('CN')
score URI_HOST_CN 1.2
enlist_uri_host (KR) kr
header URI_HOST_KR eval:check_uri_host_listed('KR')
score URI_HOST_KR 1.5
enlist_uri_host (TR) tr
header URI_HOST_TR eval:check_uri_host_listed('TR')
score URI_HOST_TR 1.5
sorry for spamming with more examples, it was intended to make more good
rules
Re: Ends with string
On 9/8/2017 12:24 PM, Robert Boyl wrote: Hello, everyone! Is there a way to create a Spamassassin rule that checks for a certain URL suffix such as .ru but makes sure it has to be at the end of the URI? Ends with string. Thanks! Rob Yes, it's called an anchor and Shane Williams a long time ago gave me some advice on that I used in this rule: uri __KAM_SHORT /(\/|^|\b)(?:j\.mp|bit\.ly|goo\.gl|x\.co|t\.co|t\.cn|tinyurl\.com|hop\.kz|urla\.ru|fw\.to)(\/|$|\b)/i Regards, KAM
Re: Ends with string
Robert Boyl skrev den 2017-09-08 18:24: Is there a way to create a Spamassassin rule that checks for a certain URL suffix such as .ru but makes sure it has to be at the end of the URI? Ends with string. have you in mind to just match a tld ? in that case read: perldoc Mail::SpamAssassin::Conf (see section enlists) http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html
Re: Ends with string
On 08.09.2017 18:24, Robert Boyl wrote: > Is there a way to create a Spamassassin rule that checks for a certain > URL suffix such as .ru but makes sure it has to be at the end of the > URI? Ends with string. There is (foo$). SpamAssassin uses Perl regular expressions, and you can find many related examples and tutorials. See also "WritingRules" on the SpamAssassin Wiki. -Ralph
Ends with string
Hello, everyone! Is there a way to create a Spamassassin rule that checks for a certain URL suffix such as .ru but makes sure it has to be at the end of the URI? Ends with string. Thanks! Rob
Re: pyzor config and sig15
On 2017-09-08 10:56, Steven Conrad Bayer wrote: > is the Pyzor network down again? Works for me now: ahiker!2 itz$ pyzor check < Mail/mail.net.spamassassin.users/new/1504861340.17441_1.ahiker public.pyzor.org:24441 (200, 'OK') 0 0 but it was down earlier this week, as discussed in the thread. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. Do obvious transformation on domain to reply privately _only_ on Usenet.
Re: pyzor config and sig15
Hi everybody, is the Pyzor network down again? We receiving the following error when we execute 'pyzor ping' public.pyzor.org:24441 (504, 'Reading response timed-out.') Is there anybody which can confirm this too?
