RE: [WARNING] RE: Help with rule matching when it shouldn't

[Erickarlo Porro]

I figured out why my RETURNPATH rule was matching. My example was too sanitized 
and I was actually trying to find multiple domains in my regex. So it would 
always match due to the fact that it would always not equal the other domain I 
was looking for.

From: Erickarlo Porro 
Sent: Wednesday, March 20, 2024 10:02 AM
To: users@spamassassin.apache.org
Subject: RE: Help with rule matching when it shouldn't

I want to catch “yahoo” anywhere in the header so that it matches if its in the 
name or in the address. So I would want to match 
ya...@gmail.com<mailto:ya...@gmail.com>

Regarding "__RETURNPATH_IS", I have the rule set to “!~” so shouldn’t that rule 
only match if that header has anything but yahoo.com? I did notice that I had a 
typo when I wrote the email due to the period but my rule actually looks like 
this:
header __RETURNPATH_IS Return-Path !~ /yahoo\.com$/i
My intention is to find emails that have a specific company name in the From 
header but the return path does not include their domain. So like in my 
theoretical example, if someone emails me from 
ya...@gmail.com<mailto:ya...@gmail.com> and the return path does include 
yahoo.com then don’t match but if someone emails me from 
ya...@othercompany.com<mailto:ya...@othercompany.com> but the return path does 
not include yahoo.com, match my rule.

From: Jimmy mailto:thana...@gmail.com>>
Sent: Tuesday, March 19, 2024 7:45 PM
To: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org>
Subject: Re: Help with rule matching when it shouldn't

The correct syntax for the header rule should be:

header __FROM_ADDRESS From:addr =~ /\@yahoo\.com/i

This rule will specifically match email addresses containing 
"@yahoo.com<http://yahoo.com>" while excluding addresses like 
"ya...@gmail.com<mailto:ya...@gmail.com>".

Regarding the example provided, the "__RETURNPATH_IS" rule should indeed be 
triggered since it matches "yahoo.com<http://yahoo.com>" in the return-path. If 
you're uncertain about the intended behavior of the rules, please clarify the 
requirements so we can adjust the rules accordingly.

Jimmy

On Wed, Mar 20, 2024 at 4:52 AM Erickarlo Porro 
mailto:epo...@earthcam.com>> wrote:
Could someone help me figure out why my custom rule is matching when it should 
not be matching?

This is my current setup:
header __FROM_ADDRESS From =~ /yahoo/i
header __RETURNPATH_IS Return-Path !~ /yahoo.com<http://yahoo.com>$/i

meta   NOT_IT (__FROM_ADDRESS && __RETURNPATH_IS)
describe NOT_IT Sender is not correct
score  NOT_IT 4.0


Take these headers as an exmaple:
From: ya...@gmail.com<mailto:ya...@gmail.com>
Return-path: ya...@yahoo.com<mailto:ya...@yahoo.com>

If I send an email that would have those headers Spamassassin is getting a hit 
for my NOT_IT rule but that should not match because __RETURNAPTH_IS should not 
get a hit.

How can I troubleshoot this?

RE: Help with rule matching when it shouldn't

[Erickarlo Porro]

I want to catch “yahoo” anywhere in the header so that it matches if its in the 
name or in the address. So I would want to match 
ya...@gmail.com<mailto:ya...@gmail.com>

Regarding "__RETURNPATH_IS", I have the rule set to “!~” so shouldn’t that rule 
only match if that header has anything but yahoo.com? I did notice that I had a 
typo when I wrote the email due to the period but my rule actually looks like 
this:
header __RETURNPATH_IS Return-Path !~ /yahoo\.com$/i
My intention is to find emails that have a specific company name in the From 
header but the return path does not include their domain. So like in my 
theoretical example, if someone emails me from 
ya...@gmail.com<mailto:ya...@gmail.com> and the return path does include 
yahoo.com then don’t match but if someone emails me from 
ya...@othercompany.com<mailto:ya...@othercompany.com> but the return path does 
not include yahoo.com, match my rule.

From: Jimmy 
Sent: Tuesday, March 19, 2024 7:45 PM
To: users@spamassassin.apache.org
Subject: Re: Help with rule matching when it shouldn't

The correct syntax for the header rule should be:

header __FROM_ADDRESS From:addr =~ /\@yahoo\.com/i

This rule will specifically match email addresses containing 
"@yahoo.com<http://yahoo.com>" while excluding addresses like 
"ya...@gmail.com<mailto:ya...@gmail.com>".

Regarding the example provided, the "__RETURNPATH_IS" rule should indeed be 
triggered since it matches "yahoo.com<http://yahoo.com>" in the return-path. If 
you're uncertain about the intended behavior of the rules, please clarify the 
requirements so we can adjust the rules accordingly.

Jimmy


On Wed, Mar 20, 2024 at 4:52 AM Erickarlo Porro 
mailto:epo...@earthcam.com>> wrote:
Could someone help me figure out why my custom rule is matching when it should 
not be matching?

This is my current setup:
header __FROM_ADDRESS From =~ /yahoo/i
header __RETURNPATH_IS Return-Path !~ /yahoo.com<http://yahoo.com>$/i

meta   NOT_IT (__FROM_ADDRESS && __RETURNPATH_IS)
describe NOT_IT Sender is not correct
score  NOT_IT 4.0


Take these headers as an exmaple:
From: ya...@gmail.com<mailto:ya...@gmail.com>
Return-path: ya...@yahoo.com<mailto:ya...@yahoo.com>

If I send an email that would have those headers Spamassassin is getting a hit 
for my NOT_IT rule but that should not match because __RETURNAPTH_IS should not 
get a hit.

How can I troubleshoot this?

Re: Help with rule matching when it shouldn't

[Matus UHLAR - fantomas]

On 20.03.24 06:44, Jimmy wrote:

Regarding the example provided, the "__RETURNPATH_IS" rule should indeed be
triggered since it matches "yahoo.com" in the return-path. If you're
uncertain about the intended behavior of the rules, please clarify the
requirements so we can adjust the rules accordingly.


Note that Return-Path may not exist at the time spam is filtered as it is 
often added when mail is delivered to mailbox.



On Wed, Mar 20, 2024 at 4:52 AM Erickarlo Porro  wrote:


Could someone help me figure out why my custom rule is matching when it
should not be matching?



This is my current setup:

header __FROM_ADDRESS From =~ /yahoo/i

header __RETURNPATH_IS Return-Path !~ /yahoo.com$/i



meta   NOT_IT (__FROM_ADDRESS && __RETURNPATH_IS)

describe NOT_IT Sender is not correct

score  NOT_IT 4.0





Take these headers as an exmaple:

From: ya...@gmail.com

Return-path: ya...@yahoo.com



If I send an email that would have those headers Spamassassin is getting a
hit for my NOT_IT rule but that should not match because __RETURNAPTH_IS
should not get a hit.



How can I troubleshoot this?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Re: Help with rule matching when it shouldn't

[Jimmy]

The correct syntax for the header rule should be:

header __FROM_ADDRESS From:addr =~ /\@yahoo\.com/i

This rule will specifically match email addresses containing "@yahoo.com"
while excluding addresses like "ya...@gmail.com".

Regarding the example provided, the "__RETURNPATH_IS" rule should indeed be
triggered since it matches "yahoo.com" in the return-path. If you're
uncertain about the intended behavior of the rules, please clarify the
requirements so we can adjust the rules accordingly.

Jimmy



On Wed, Mar 20, 2024 at 4:52 AM Erickarlo Porro  wrote:

> Could someone help me figure out why my custom rule is matching when it
> should not be matching?
>
>
>
> This is my current setup:
>
> header __FROM_ADDRESS From =~ /yahoo/i
>
> header __RETURNPATH_IS Return-Path !~ /yahoo.com$/i
>
>
>
> meta   NOT_IT (__FROM_ADDRESS && __RETURNPATH_IS)
>
> describe NOT_IT Sender is not correct
>
> score  NOT_IT 4.0
>
>
>
>
>
> Take these headers as an exmaple:
>
> From: ya...@gmail.com
>
> Return-path: ya...@yahoo.com
>
>
>
> If I send an email that would have those headers Spamassassin is getting a
> hit for my NOT_IT rule but that should not match because __RETURNAPTH_IS
> should not get a hit.
>
>
>
> How can I troubleshoot this?
>
>
>
>
>

Help with rule matching when it shouldn't

[Erickarlo Porro]

Could someone help me figure out why my custom rule is matching when it should 
not be matching?

This is my current setup:
header __FROM_ADDRESS From =~ /yahoo/i
header __RETURNPATH_IS Return-Path !~ /yahoo.com$/i

meta   NOT_IT (__FROM_ADDRESS && __RETURNPATH_IS)
describe NOT_IT Sender is not correct
score  NOT_IT 4.0


Take these headers as an exmaple:
From: ya...@gmail.com
Return-path: ya...@yahoo.com

If I send an email that would have those headers Spamassassin is getting a hit 
for my NOT_IT rule but that should not match because __RETURNAPTH_IS should not 
get a hit.

How can I troubleshoot this?

Re: Help with rule

[John Hardin]

On Mon, 5 Jun 2023, jacklistm...@gmail.com wrote:


header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/


Missing a period in that one.


meta FROM_CLIENT_TEST from FROM_CLIENT_EMAIL && FROM_CLIENT_IP


Extra "from" already noted.

If you're looking to whitelist specific senders coming from specific IP 
addresses, there's already built-in features for that. Look into 
whitelist_from_rcvd, it may do exactly what you want.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the business of government to make men virtuous
  or religious, or to preserve the fool from the consequences
  of his own folly.   -- Henry George
---
 Today: the 79th anniversary of D-Day

Re: Help with rule

[Bill Cole]

On 2023-06-06 at 01:32:14 UTC-0400 (Tue, 6 Jun 2023 08:32:14 +0300)
Henrik K via users 
is rumored to have said:


On Tue, Jun 06, 2023 at 12:12:10AM -0400, Bill Cole wrote:


Escape the @ with a \
SA uses Perl, so you need to escape %, @, and $ in regular 
expressions.


Perl regular expressions does not mean it's parsed as Perl code,


Correct, but for some time in the past, rule regexes were treated as 
double-quoted strings. The artifacts of that history remain in the 
default rules channel.



no need to
quote such things on any remotely modern SA version.


I stand corrected. Clearly I did not notice this improvement when it 
happened.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Help with rule

[Matus UHLAR - fantomas]

On 05.06.23 22:04, jacklistm...@gmail.com wrote:

I know this isn't the best method, I have to learn some of the previous
suggestions, but I would like to get this rule to work.

Not sure where I went wrong.

header FROM_CLIENT_EMAIL From =~ /client@client\.com/i


I recommend to use From:addr, so you won't allow someone like:

"cli...@client.com "


header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/


This can be also tricked, I recommend using X-Spam-Relays-Trusted 
pseudo-header:


https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TrustedRelays

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...

RE: Help with rule

[jacklistmail]

Hello,


Thanks, it looks like there was an extra from in my code, it was that line
that gave me the error with -lint, it actually passed it with the @ escaped
or not will conduct ome test to make sure.

 

 

From: Loren Wilton  
Sent: Monday, June 5, 2023 11:15 PM
To: users@spamassassin.apache.org
Subject: Re: Help with rule

 

> meta FROM_CLIENT_TEST from FROM_CLIENT_EMAIL && FROM_CLIENT_IP

 

Is that a typo when you were making this mail, or is it actually how the
line is coded? There is an extra "from" there.

 

Even if you fix that, you won't get the results you expect. Both
FROM_CLIENT_EMAIL and  FROM_CLIENT_IP will score as 1 point each if they
hit, so your final adjusted score will be +1, not -1.

 

You can fix that in several ways:

 

header FROM_CLIENT_EMAIL From =~ /client@client\.com/i

scoreFROM_CLIENT_EMAIL 0.01

header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/

scoreFROM_CLIENT_IP  0.01

 

Or

 

 

header FROM_CLIENT_EMAIL From =~ /client@client\.com/i

header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/

meta FROM_CLIENT_TEST FROM_CLIENT_EMAIL && FROM_CLIENT_IP

score FROM_CLIENT_TEST -3.0

 

Or the probably best way once you have the tests debugged and you know they
both hit correctly:

 

header __FROM_CLIENT_EMAIL From =~ /client@client\.com/i

header __FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/

meta FROM_CLIENT_TEST __FROM_CLIENT_EMAIL && __FROM_CLIENT_IP

score FROM_CLIENT_TEST -1.0

 

The double underscore on the front of the rule will keep it from
contributing a score of it's own, and it will not show in the list of hit
rules. Thus you will only see the result of the meta.

 

Loren

 

 

Re: Help with rule

[Henrik K via users]

On Tue, Jun 06, 2023 at 12:12:10AM -0400, Bill Cole wrote:
> 
> Escape the @ with a \
> SA uses Perl, so you need to escape %, @, and $ in regular expressions.

Perl regular expressions does not mean it's parsed as Perl code, no need to
quote such things on any remotely modern SA version.

Re: Help with rule

[Bill Cole]

On 2023-06-05 at 22:04:47 UTC-0400 (Mon, 5 Jun 2023 22:04:47 -0400)
 
is rumored to have said:


Hello All,



I know this isn't the best method, I have to learn some of the 
previous

suggestions, but I would like to get this rule to work.

Not sure where I went wrong.



header FROM_CLIENT_EMAIL From =~ /client@client\.com/i


Escape the @ with a \
SA uses Perl, so you need to escape %, @, and $ in regular expressions.

I think "spamassassin --lint" will catch unescaped special characters in 
rules, and it is always a good idea to run that when you add or change 
rules.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Help with rule

[Loren Wilton]

> meta FROM_CLIENT_TEST from FROM_CLIENT_EMAIL && FROM_CLIENT_IP

Is that a typo when you were making this mail, or is it actually how the line 
is coded? There is an extra "from" there.

Even if you fix that, you won't get the results you expect. Both 
FROM_CLIENT_EMAIL and  FROM_CLIENT_IP will score as 1 point each if they hit, 
so your final adjusted score will be +1, not -1.

You can fix that in several ways:

header FROM_CLIENT_EMAIL From =~ /client@client\.com/i

scoreFROM_CLIENT_EMAIL 0.01

header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/

scoreFROM_CLIENT_IP  0.01



Or



header FROM_CLIENT_EMAIL From =~ /client@client\.com/i

header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/

meta FROM_CLIENT_TEST FROM_CLIENT_EMAIL && FROM_CLIENT_IP

score FROM_CLIENT_TEST -3.0



Or the probably best way once you have the tests debugged and you know they 
both hit correctly:

 

header __FROM_CLIENT_EMAIL From =~ /client@client\.com/i

header __FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/

meta FROM_CLIENT_TEST __FROM_CLIENT_EMAIL && __FROM_CLIENT_IP

score FROM_CLIENT_TEST -1.0



The double underscore on the front of the rule will keep it from contributing a 
score of it's own, and it will not show in the list of hit rules. Thus you will 
only see the result of the meta.



Loren

Help with rule

[jacklistmail]

Hello All,

 

I know this isn't the best method, I have to learn some of the previous
suggestions, but I would like to get this rule to work.

Not sure where I went wrong.

 

header FROM_CLIENT_EMAIL From =~ /client@client\.com/i

header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/

meta FROM_CLIENT_TEST from FROM_CLIENT_EMAIL && FROM_CLIENT_IP

score FROM_CLIENT_TEST -1.0

 

 

Thanks!

Please help with rule

[Dave Koontz]

I am still getting some Storm Worm messages that are not being caught, 
even with Sane Security / ClamAV.  I thought I'd write a rule to score 
any URL that has a dot exe, scr or pif extension.  However, my rule is 
not working.  Can someone help advise what is wrong?  I want it to 
pickup any http or https with those extensions. 


body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5

Thanks in advance!

Please help with rule

[Dave Koontz]

I am still getting some Storm Worm messages that are not being caught, 
even with Sane Security / ClamAV.  I thought I'd write a rule to score 
any URL that has a dot exe, scr or pif extension.  However, my rule is 
not working.  Can someone help advise what is wrong?  I want it to 
pickup any http or https with those extensions.



body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5

Thanks in advance!

Re: Please help with rule

[Loren Wilton]

Untested, but try

uri EXECUTABLE_WEBSITE/\.(?:exe|scr|pif)$/i

   Loren

- Original Message - 
From: Dave Koontz [EMAIL PROTECTED]

To: users@spamassassin.apache.org
Sent: Saturday, February 23, 2008 6:52 AM
Subject: Please help with rule


I am still getting some Storm Worm messages that are not being caught, 
even with Sane Security / ClamAV.  I thought I'd write a rule to score 
any URL that has a dot exe, scr or pif extension.  However, my rule is 
not working.  Can someone help advise what is wrong?  I want it to 
pickup any http or https with those extensions. 


body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5

Thanks in advance!

Re: Please help with rule

[Benny Pedersen]

On Sat, February 23, 2008 15:52, Dave Koontz wrote:
 I am still getting some Storm Worm messages that are not being caught,
 even with Sane Security / ClamAV.  I thought I'd write a rule to score
 any URL that has a dot exe, scr or pif extension.  However, my rule is
 not working.  Can someone help advise what is wrong?  I want it to
 pickup any http or https with those extensions.

 body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
 describe Dangerous_URLDangerous URL
 scoreDangerous_URL7.5

have you tested if the antivirus plugin caught it ?

below here is what i have in postfix mime_header_checks

/filename=\?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\?$/
 REJECT For security reasons we reject attachments of this type

/^\s*Content-(Disposition|Type).*name\s*=\s*?(.+\.(cpl|lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))?\s*$/
 REJECT Attachment type not allowed. File $2 has the unacceptable extension
$3

take care of line wraps

Re: Please help with rule

[Joseph Brennan]

--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz [EMAIL PROTECTED] 
wrote:



I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV.  I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension.  However, my rule is
not working.  Can someone help advise what is wrong?  I want it to pickup
any http or https with those extensions.


body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i



 uri  Dangerous_URL/http.{1,200}\.(?:exe|scr|pif)/i

I think 'body' excludes html code.  You could use 'rawbody' but normally
one uses 'uri' to get links.

More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters.  Loren Wilton suggested leaving out
the 'http.{1,200}'.

Note, this would match things like www.scratchy.tld unless you narrow
it further.  Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.


Joseph Brennan
Columbia University Information Technology

RE: Please help with rule

[Dave Koontz]

Thanks all for the info, the uri check is much better.  

Joseph you were absolutely correct about it catching too wide.  I modified
it to pattern check the end only and it now works a treat!

uri  DANGEROUS_URL/\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i
describe DANGEROUS_URLURL contains executable content
scoreDANGEROUS_URL7.5
 

Joseph Brennan Wrote:

--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz [EMAIL PROTECTED] 
wrote:

 I am still getting some Storm Worm messages that are not being caught,
 even with Sane Security / ClamAV.  I thought I'd write a rule to score
 any URL that has a dot exe, scr or pif extension.  However, my rule is
 not working.  Can someone help advise what is wrong?  I want it to pickup
 any http or https with those extensions.


 body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i


  uri  Dangerous_URL/http.{1,200}\.(?:exe|scr|pif)/i

I think 'body' excludes html code.  You could use 'rawbody' but normally
one uses 'uri' to get links.

More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters.  Loren Wilton suggested leaving out
the 'http.{1,200}'.

Note, this would match things like www.scratchy.tld unless you narrow
it further.  Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.

RE: Please help with rule

[Michael Hutchinson]

 -Original Message-
 From: Dave Koontz [mailto:[EMAIL PROTECTED]
 Sent: Sunday, 24 February 2008 5:09 p.m.
 To: users@spamassassin.apache.org
 Subject: Please help with rule
 
 I am still getting some Storm Worm messages that are not being caught,
 even with Sane Security / ClamAV.  I thought I'd write a rule to score
 any URL that has a dot exe, scr or pif extension.  However, my rule is
 not working.  Can someone help advise what is wrong?  I want it to
 pickup any http or https with those extensions.
 
 
 body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
 describe Dangerous_URLDangerous URL
 scoreDangerous_URL7.5
 
 Thanks in advance!

I don't know if its standard practise on the list, but I do my
attachment filtering with Simscan, not Spamassassin, using
/var/qmail/control/simcontrol where config reads:

[EMAIL PROTECTED]:clam=yes,spam=no
[EMAIL PROTECTED]:clam=yes,spam=no
:clam=yes,spam=yes,spam_hits=20,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif

The first two lines mean that for the two domains listed, there will be
no spam checking (Spamassassin), and there will be antivirus scanning
(clamav).

The last line is global configuration, so for every other site,
antivirus checking, and spamassasssin checking are switched on, plus we
block the listed attachments outright.

Sorry if you don't run Simscan, just thought I'd post my $0.2

Cheers,
Michael Hutchinson

Help with rule

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm trying to flag a type of spam that seems to be slipping through with
a very low score

The common factor is that all of the messages have something linke

Just type www [.] pillking [.] org
Just type FONT color=#ffwww/FONT [.]
STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT
color=#fforg/FONT/FONT

   Just type www [dot] pilldoc [dot] org

I suspect a rule that looks for www*pill*org would work. How do I turn
that into a regex?


- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGG4BveERILVgMyvARAvKDAJ40E2quDemGCoFIheL8XFkgjRcWegCfSDiI
hmR+79G9K1DQJHIN0lI8I6g=
=yqRq
-END PGP SIGNATURE-

Re: Help with rule

[John D. Hardin]

On Tue, 10 Apr 2007, Steven Stern wrote:

 Just type www [.] pillking [.] org
 Just type FONT color=#ffwww/FONT [.]
 STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT
 color=#fforg/FONT/FONT
 
Just type www [dot] pilldoc [dot] org
 
 I suspect a rule that looks for www*pill*org would work. How do I turn
 that into a regex?

Perhaps something like:

  body  OBFUSC_PILL_URI  /\bwww\b.{3,50}\bpill.{3,50}\borg\b/i

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the business of government to make men virtuous or
  religious, or to preserve the fool from the consequences of his own
  folly.  -- Henry George
---
 3 days until Thomas Jefferson's 264th Birthday

Re: Help with rule

[John D. Hardin]

On Tue, 10 Apr 2007, John D. Hardin wrote:

 On Tue, 10 Apr 2007, Steven Stern wrote:
 
  Just type www [.] pillking [.] org
  Just type FONT color=#ffwww/FONT [.]
  STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT
  color=#fforg/FONT/FONT
  
 Just type www [dot] pilldoc [dot] org
  
  I suspect a rule that looks for www*pill*org would work. How do I turn
  that into a regex?
 
 Perhaps something like:
 
   body  OBFUSC_PILL_URI  /\bwww\b.{3,50}\bpill.{3,50}\borg\b/i

Actually, body matches strip out HTML markup so you could tighten it
up a bit:

  body  OBFUSC_PILL_URI  /\bwww\b.{3,10}\bpill.{3,15}\borg\b/i

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority.-- Cringely, 4/8/2004
---
 3 days until Thomas Jefferson's 264th Birthday

Re: Help with rule

[Kelson]

Steven Stern wrote:

I suspect a rule that looks for www*pill*org would work. How do I turn
that into a regex?


Basic:  /www.*pill.*org/
Slightly optimized: /www.{1,30}pill.{1,30}org/

.matches any character.
*means anywhere 0 or more of the preceding item, so
.*   matches 0 or more of any character.
{X,Y} means anywhere from X to Y of the preceding item.

You don't want to use .* in a SA rule, though, because if it matches 
www it'll keep looking for a long time until it finds pill or runs 
out of text to look at.  .{1,30} will match 1 to 30 of any character in 
a row, so if it finds www it will only look through 30 characters for 
pill


You can also make it more specific, matching things only at word 
boundaries, etc.


There's a good tutorial and reference at www.regular-expressions.info -- 
one of the few legit .info names I've seen.


--
Kelson Vibber
SpeedGate Communications www.speed.net

Re: Help with rule for geocities spam

[Daryl C. W. O'Shea]

On 5/23/2006 2:51 AM, Benny Pedersen wrote:

http://wiki.apache.org/spamassassin/WebRedirectPlugin



there is a slight config error on the page

[WWW] http://people.apache.org/~dos/sa-plugins/3.1/WebRedirect.cf
[WWW] http://people.apache.org/~dos/sa-plugins/3.1/WebRedirect.pm

in the cf file the loadplugin should realy be in a pre file and commented out 
in the cf file

just be aware of not use loadplugin in a cf file

i have made local.pre for plugins that are 3dr party


It's only a problem if you want to add more rules, that rely on the 
plugin, in a file that comes before WebRedirect.cf alphabetically.  Of 
course anyone who would add their own rules using the interface provided 
by the plugin should know enough to load the plugin before their rules.


It's a fairly safe trade-off, since not many people will add their own 
rules anyway, between providing two files or three.



Daryl

Help with rule for geocities spam

[Kenneth Porter]

I just grepped my entire mail hierarchy for .geocities.com and the only 
legitimate stuff I see either uses the www or uk subdomains. How can I 
write a rule that matches on that? If it were just one subdomain I could 
write one rule for all subdomains and one for just the one subdomain and 
use a negative score for the latter to match the positive score for the 
all-subdomain rule. But how do I handle two good subdomains?

RE: Help with rule for geocities spam

[Bowie Bailey]

Kenneth Porter wrote:
 I just grepped my entire mail hierarchy for .geocities.com and the
 only legitimate stuff I see either uses the www or uk subdomains. How
 can I write a rule that matches on that? If it were just one
 subdomain I could write one rule for all subdomains and one for just
 the one subdomain and use a negative score for the latter to match
 the positive score for the all-subdomain rule. But how do I handle
 two good subdomains? 

I assume you mean www.geocites.com and uk.geocities.com, right?

Try this:

/(?:www|uk)\.geocities\.com/

Add other anchors as appropriate...

-- 
Bowie

RE: Help with rule for geocities spam

[Kenneth Porter]

On Monday, May 22, 2006 12:28 PM -0400 Bowie Bailey [EMAIL PROTECTED] 
wrote:



I assume you mean www.geocites.com and uk.geocities.com, right?

Try this:

/(?:www|uk)\.geocities\.com/

Add other anchors as appropriate...


Doh! That was too easy! :P

BTW, in my corpus the only legit use of other subdomains are from samples a 
year or more in the past.

Re: Help with rule for geocities spam

[Michael Monnerie]

On Montag, 22. Mai 2006 18:28 Bowie Bailey wrote:
  /(?:www|uk)\.geocities\.com/

Or the full line could be:
uri  ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com}
describe ZMIgeocitiesGOOD probably good geocities site
scoreZMIgeocitiesGOOD -1.2

or whatever score you want to give them.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660/4156531  .network.your.ideas.
// PGP Key:   lynx -source http://zmi.at/zmi3.asc | gpg --import
// Fingerprint: 44A3 C1EC B71E C71A B4C2  9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE


pgp0LKarl3svE.pgp
Description: PGP signature

Re: Help with rule for geocities spam

[Kenneth Porter]

On Monday, May 22, 2006 7:24 PM +0200 Michael Monnerie 
[EMAIL PROTECTED] wrote:



Or the full line could be:
uri  ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com}
describe ZMIgeocitiesGOOD probably good geocities site
scoreZMIgeocitiesGOOD -1.2

or whatever score you want to give them.


Does a uri rule count once per instance or for all matching uris? If, for 
instance, I have that rule and one matching *all* subdomains with a +1.2, 
does a spammer just have to insert a good uri to nullify the score for 
the bad one?


Alternatively, is there regex syntax to match all patterns *except* the one 
given? Can I somehow express all geocities.com subdomains except www and 
uk as a regex?

RE: Help with rule for geocities spam

[Bowie Bailey]

Kenneth Porter wrote:
 On Monday, May 22, 2006 7:24 PM +0200 Michael Monnerie
 [EMAIL PROTECTED] wrote:
 
  Or the full line could be:
  uri  ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com}
  describe ZMIgeocitiesGOOD probably good geocities site
  scoreZMIgeocitiesGOOD -1.2
  
  or whatever score you want to give them.
 
 Does a uri rule count once per instance or for all matching uris? If,
 for instance, I have that rule and one matching *all* subdomains with
 a +1.2, does a spammer just have to insert a good uri to nullify
 the score for the bad one?

The URI rule just says does this exist in the message?  So it will
only hit once per message.  And yes, spammers could take advantage of
this rule.  This is why there are not many negative scoring rules in
SA.

 Alternatively, is there regex syntax to match all patterns *except*
 the one given? Can I somehow express all geocities.com subdomains
 except www and uk as a regex?

That is a bit trickier because Perl does not currently support
variable length look-behinds.  But you can get around that by using
two separate look-behinds like this:

/(?!\bwww)(?!\buk)\.geocities\.com/

Note that you have to anchor both options separately.

-- 
Bowie

RE: Help with rule for geocities spam

[Matthew.van.Eerde]

Bowie Bailey wrote:
 Kenneth Porter wrote:
 Alternatively, is there regex syntax to match all patterns *except*
 the one given? Can I somehow express all geocities.com subdomains
 except www and uk as a regex?
 
 That is a bit trickier because Perl does not currently support
 variable length look-behinds.  But you can get around that by using
 two separate look-behinds like this:
 
 /(?!\bwww)(?!\buk)\.geocities\.com/

In this specific case, this might suffice:
/[^wu][^wk]\.geocities\.com/i

... but this pattern does not generalize well.

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

RE: Help with rule for geocities spam

[Bowie Bailey]

[EMAIL PROTECTED] wrote:
 Bowie Bailey wrote:
  Kenneth Porter wrote:
   Alternatively, is there regex syntax to match all patterns
   *except* the one given? Can I somehow express all geocities.com
   subdomains except www and uk as a regex?
  
  That is a bit trickier because Perl does not currently support
  variable length look-behinds.  But you can get around that by using
  two separate look-behinds like this:
  
  /(?!\bwww)(?!\buk)\.geocities\.com/
 
 In this specific case, this might suffice:
 /[^wu][^wk]\.geocities\.com/i

This is probably a less expensive regex, but it does not match quite
the same thing.  This will match any subdomain that does not end in
ww, wk, uw, or uk.

For instance, it will not match on squawk.geocities.com.

 ... but this pattern does not generalize well.

True, but neither does mine once you get past two or three
alternatives.

-- 
Bowie

Re: Help with rule for geocities spam

[Kenneth Porter]

As it turns out, I had a SARE rule installed that should catch these, but I 
found some spams leaking through due to the insecure dependency bug (bug 
3838), even though I'm running Perl 5.8.3. I'm applying Daryl C. W. 
O'Shea's patch for that bug.


Here's the SARE rule:

http://www.rulesemporium.com/rules/70_sare_specific.cf

(Look for __SARE_SPEC_XXGEOCITIE)

Re: Help with rule for geocities spam

[jdow]

From: [EMAIL PROTECTED]

Bowie Bailey wrote:

Kenneth Porter wrote:

Alternatively, is there regex syntax to match all patterns *except*
the one given? Can I somehow express all geocities.com subdomains
except www and uk as a regex?


That is a bit trickier because Perl does not currently support
variable length look-behinds.  But you can get around that by using
two separate look-behinds like this:

/(?!\bwww)(?!\buk)\.geocities\.com/


In this specific case, this might suffice:
/[^wu][^wk]\.geocities\.com/i

... but this pattern does not generalize well.

 jdow  meh - simply use the easy rule for either www or uk.
Give it a score of 0.001 if you want to monitor it. Then use it
in a meta rule with a /geocities.com/ rule. If it is the latter
and not the former give it 1000 points or whatever. If it is
the latter AND the former be nice and only give it 999 + 1 points.

{^_-}

Re: Help with rule for geocities spam

[jdow]

From: Justin Mason [EMAIL PROTECTED]


Kenneth Porter writes:
As it turns out, I had a SARE rule installed that should catch these, but I 
found some spams leaking through due to the insecure dependency bug (bug 
3838), even though I'm running Perl 5.8.3. I'm applying Daryl C. W. 
O'Shea's patch for that bug.


Here's the SARE rule:

http://www.rulesemporium.com/rules/70_sare_specific.cf

(Look for __SARE_SPEC_XXGEOCITIE)


did it work?  if so, please add a report to that bug -- there
are still very few comments indicating success.  (although I don't
doubt that's just lack of comment, rather than a faulty patch.)


It is still working for me, Justin. I've removed my procmail double
tap work around that fed through a second time if the first time
failed to create markup.

{^_^}

Re: Help with rule for geocities spam

[Daryl C. W. O'Shea]

On 5/22/2006 6:14 PM, Kenneth Porter wrote:
As it turns out, I had a SARE rule installed that should catch these, 
but I found some spams leaking through due to the insecure dependency 
bug (bug 3838), even though I'm running Perl 5.8.3. I'm applying Daryl 
C. W. O'Shea's patch for that bug.


Here's the SARE rule:

http://www.rulesemporium.com/rules/70_sare_specific.cf

(Look for __SARE_SPEC_XXGEOCITIE)


Just because someone spelling my entire name right caught my attention...

If you've got the bandwidth and processing time to spare, you might as 
well get Yahoo! to serve up the spam sites they're hosting:


http://wiki.apache.org/spamassassin/WebRedirectPlugin


Daryl