Re: spam assassin rule to block a From address

2016-10-14 Thread Indunil Jayasooriya 
> The "[..]" construct is called a character class, and contains a set of 
> characters or character ranges that should match a single character in the 
> source. So "[0-9a-f]" matches a single character that is either a digit 0-9 
> or a letter a-f (those example addresses looked suspiciously like hexadecimal 
> strings as there were no letters above f).

Yes. you are right.

I checked all email addresses begin with "airecom612+" . there were no
letters beyond f.


> The "{..}" construct is a quantifier that say how many times the previous 
> token should match (similar to how + matches one or more times and * matches 
> zero or more times). In this case the quantifier "{16,}" means the preceding 
> token (a hexadecimal digit) should be repeated 16 times or more.
>
> So my example rule will only match if the email address starts with 
> "airecom162+" followed by 16 or more hexadecimal characters just before the 
> @-sign.

Thanks. I realized it.  I went https://regex101.com and checked.


more than 16 are matched. (below email address)

airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net


16 are matched.

airecom612+97d7d60a91d96...@therealizationofhealth.net


below 16 are NOT matched. ( in this case 15 )

airecom612+97d7d60a91d9...@therealizationofhealth.net

I realized everything.

Thanks for your tuition class. I feel pretty  happy. Have a happy day.
what a meritorious deed.



>
> --
> kai.ri...@arrak.fi GSM  +358-40-767 8282
> Oy Arrak Software Ab   http://www.arrak.fi
>
>
>
> -Original Message-
> From: Indunil Jayasooriya [mailto:induni...@gmail.com]
> Sent: Friday, October 14, 2016 11:56 AM
> To: Kai Risku <kai.ri...@arrak.fi>
> Cc: amavis-users@amavis.org
> Subject: Re: spam assassin rule to block a From address
>
> On Fri, Oct 14, 2016 at 1:59 PM, Kai Risku <kai.ri...@arrak.fi> wrote:
>> There is a small chance of false positives, i.e. you are catching *all* 
>> email addresses beginning with airecom612. You could be a bit more specific 
>> and require a hexadecimal string of at least 16 characters also:
>>
>> header SPAM11OctF1  From:addr ~= /^airecom612\+[0-9a-f]{16,}\@/i
>
> thanks for your fast response.
>
> I am trying to understand the above.
>
> 0-9 a single character in the range between 0 and 9
>
> a-f a single character in the range between a and f . If anything
> beyond f (i .e - g to z  will NOT catch)
>
> what about this?
>
> ^airecom612\+[0-9a-z]{16,}\@
>
>
> now how can realize {16,}?
>
> How does {16,} work?
>
>
> I expect your response.
>
>
>
>
>
>> --
>> kai.ri...@arrak.fi GSM  +358-40-767 8282
>> Oy Arrak Software Ab   http://www.arrak.fi
>>
>>
>>
>> -Original Message-
>> From: Indunil Jayasooriya [mailto:induni...@gmail.com]
>> Sent: Friday, October 14, 2016 11:03 AM
>> To: Kai Risku <kai.ri...@arrak.fi>
>> Cc: amavis-users@amavis.org
>> Subject: Re: spam assassin rule to block a From address
>>
>>> Appending the modifier “:addr” to a header name will remove everything from
>>> that header except the first email address. If you are using an anchored
>>> regexp on the email address, then the From:addr test should work, i.e.
>>>
>>>
>>>
>>> header SPAM11OctF1   From:addr ~=
>>> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>>>
>>
>> Thanks. Now I get mails beginning with  "airecom612"
>>
>>
>> Pls see below
>>
>>
>> airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net
>> airecom612+eceaaa167743dd4a58b54bdb17ef8...@holistictips.net
>> airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net
>>
>>
>> So I have changed the rule in this way. pls see below. ( this time i.e
>> -   /^airecom612.*\@/i )
>>
>> file /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf
>>
>>
>> header SPAM11OctF2 From:addr =~ /^airecom612.*\@/i
>> describe SPAM11OctF2 From address begin with the word airecom612@
>> score SPAM11OctF2 10.0
>>
>>
>> Hope. this will catch the PATTERN beginning with  "airecom612".
>>
>>
>> your comments on this ?
>>
>>
>>
>>>
>>> But you are otherwise on to something there. If the airecom -address is not
>>> in the visible From: -line (“From: “), but instead in the Envelope sender
>>> (i.e. the “From “ line), then you should use the pseudoheader EnvelopeFrom
>>> in the SA test:
>>>
>>>
&g

RE: spam assassin rule to block a From address

2016-10-14 Thread Kai Risku 
There is a small chance of false positives, i.e. you are catching *all* email 
addresses beginning with airecom612. You could be a bit more specific and 
require a hexadecimal string of at least 16 characters also:

header SPAM11OctF1  From:addr ~= /^airecom612\+[0-9a-f]{16,}\@/i

--
kai.ri...@arrak.fi GSM  +358-40-767 8282
Oy Arrak Software Ab   http://www.arrak.fi



-Original Message-
From: Indunil Jayasooriya [mailto:induni...@gmail.com] 
Sent: Friday, October 14, 2016 11:03 AM
To: Kai Risku <kai.ri...@arrak.fi>
Cc: amavis-users@amavis.org
Subject: Re: spam assassin rule to block a From address

> Appending the modifier “:addr” to a header name will remove everything from
> that header except the first email address. If you are using an anchored
> regexp on the email address, then the From:addr test should work, i.e.
>
>
>
> header SPAM11OctF1   From:addr ~=
> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>

Thanks. Now I get mails beginning with  "airecom612"


Pls see below


airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net
airecom612+eceaaa167743dd4a58b54bdb17ef8...@holistictips.net
airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net


So I have changed the rule in this way. pls see below. ( this time i.e
-   /^airecom612.*\@/i )

file /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf


header SPAM11OctF2 From:addr =~ /^airecom612.*\@/i
describe SPAM11OctF2 From address begin with the word airecom612@
score SPAM11OctF2 10.0


Hope. this will catch the PATTERN beginning with  "airecom612".


your comments on this ?



>
> But you are otherwise on to something there. If the airecom -address is not
> in the visible From: -line (“From: “), but instead in the Envelope sender
> (i.e. the “From “ line), then you should use the pseudoheader EnvelopeFrom
> in the SA test:
>
>
>
> header SPAM11OctF1   EnvelopeFrom ~=
> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>
>
>
> The EnvelopeFrom pseudoheader contains just the email address without any
> surrounding < >.

I have never known it before. Thanks for your effort. Well done. your
effort never went to recycle bin since I realized it.
>
> man Mail::SpamAssassin::Conf is your friend.
>

Thanks for this man command.




> --
> kai.ri...@arrak.fi GSM  +358-40-767 8282
> Oy Arrak Software Ab   http://www.arrak.fi
>
>
>
>
> From: amavis-users
> [mailto:amavis-users-bounces+kai.risku=arrak...@amavis.org] On Behalf Of
> @lbutlr
> Sent: Thursday, October 13, 2016 11:43 AM
> To: amavis-users@amavis.org
> Subject: Re: spam assassin rule to block a From address
>
>
>
> On Oct 13, 2016, at 2:12 AM, Indunil Jayasooriya <induni...@gmail.com>
> wrote:
>
> what's the difference between From and From:addr ?
>
>
>
> Isn’t From the “From “ and From:addr the “From:”?
>
>



-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts

Re: spam assassin rule to block a From address

2016-10-14 Thread Indunil Jayasooriya 
> Appending the modifier “:addr” to a header name will remove everything from
> that header except the first email address. If you are using an anchored
> regexp on the email address, then the From:addr test should work, i.e.
>
>
>
> header SPAM11OctF1   From:addr ~=
> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>

Thanks. Now I get mails beginning with  "airecom612"


Pls see below


airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net
airecom612+eceaaa167743dd4a58b54bdb17ef8...@holistictips.net
airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net


So I have changed the rule in this way. pls see below. ( this time i.e
-   /^airecom612.*\@/i )

file /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf


header SPAM11OctF2 From:addr =~ /^airecom612.*\@/i
describe SPAM11OctF2 From address begin with the word airecom612@
score SPAM11OctF2 10.0


Hope. this will catch the PATTERN beginning with  "airecom612".


your comments on this ?



>
> But you are otherwise on to something there. If the airecom -address is not
> in the visible From: -line (“From: “), but instead in the Envelope sender
> (i.e. the “From “ line), then you should use the pseudoheader EnvelopeFrom
> in the SA test:
>
>
>
> header SPAM11OctF1   EnvelopeFrom ~=
> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>
>
>
> The EnvelopeFrom pseudoheader contains just the email address without any
> surrounding < >.

I have never known it before. Thanks for your effort. Well done. your
effort never went to recycle bin since I realized it.
>
> man Mail::SpamAssassin::Conf is your friend.
>

Thanks for this man command.




> --
> kai.ri...@arrak.fi GSM  +358-40-767 8282
> Oy Arrak Software Ab   http://www.arrak.fi
>
>
>
>
> From: amavis-users
> [mailto:amavis-users-bounces+kai.risku=arrak...@amavis.org] On Behalf Of
> @lbutlr
> Sent: Thursday, October 13, 2016 11:43 AM
> To: amavis-users@amavis.org
> Subject: Re: spam assassin rule to block a From address
>
>
>
> On Oct 13, 2016, at 2:12 AM, Indunil Jayasooriya <induni...@gmail.com>
> wrote:
>
> what's the difference between From and From:addr ?
>
>
>
> Isn’t From the “From “ and From:addr the “From:”?
>
>



-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts

Re: spam assassin rule to block a From address

2016-10-14 Thread Indunil Jayasooriya 
On Fri, Oct 14, 2016 at 2:21 AM, Tom Hendrikx  wrote:
>
>
>
> On 13-10-16 10:12, Indunil Jayasooriya wrote:
>>>
>>> You should probably also match only the address, not the full From line,
>>> especially when you're anchoring:
>>
>>
>> what's the difference between From and From:addr ?
>>
>
> Considering the header:
>
> From: Indunil Jayasooriya 
>
> A rule "header From =~" will perform matching against the string:
> "Indunil Jayasooriya "
>
> A rule "header From:addr =~" will perform matching against the string:
> "induni...@example.com"


Tom,

Thank you very much for your effort.


> When you're anchoring your regex, that makes a huge difference.
>
> Kind regards,
> Tom
>
>>
>>>
>>> header SPAM11OctF1 From:addr =~ /^aireco
>>
>> Can you complete this ? anyway here I complete it.
>>
>>
>> header SPAM11OctF1 From:addr =~
>> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>> describe SPAM11OctF1 From address contains the word airecom612@
>> score SPAM11OctF1 10.0
>>
>> Is it OK?
>>
>>
>> what are the sites to learn spam-assassin rules?
>>
>>
>> anyway, I get spam mails with below addressees.
>>
>>
>> bounce-mc.us8_29275787.517673-wer=mynet@mail172.atl61.mcsv.net
>> ml-bounce-mc.us8_29275787.517673-hewe=mynet@mail172.atl61.mcsv.net
>>
>>
>> I wrote  below  rule to block it. it does NOT seem to work.
>>
>> header SPAM13OctF1 From =~ /.*bounce.*\@/i
>> describe SPAM13OctF1 From address contains the word bounce.
>> score SPAM13OctF1 10.0
>>
>>
>> should I change from From to From:addr ?
>>
>> Can you complete it?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
> my /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf file
>
> header SPAM11OctF1 From =~ 
> /(airecom612\+97d7d60a91d9695c9a4240f92d5c3cae)@/i
> describe SPAM11OctF1 From address contains the word airecom612@
> score SPAM11OctF1 10.0
>
>
>>
>>
>> Can you post to us a source code of spam mail?
>
>
> here's the log.
>
> Oct 12 02:55:37 mailgw amavis[1054]: (01054-03) Passed CLEAN 
> [190.123.45.119] [190.123.45.119] 
> airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net - 
> r...@mydomain.com Message-ID: 
> 97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net mail_id: 
> dOZ+MykHl9Z2 Hits: -0.047 size: 11977 queued_as: 32CE11084D 9548 ms
>
>
> Ideas are welcome.
>
>
>
>
>> 12 Calcinaia (PI)
>> Tel +39058759108
>> cell 340 8398772
>> E-mail: mauri...@etarom.com
>> Assistenza: assiste...@etarom.com
>> P.E.C. eta...@pec.etarom.com
>>
>> Non indugiare oltre!, attiva adesso la tua casella di Posta Elettronica 
>> Certificata, per maggiori informazioni consulta la nostra news qui
>>
>>
>> 
>> Qualora questo messaggio fosse da Voi ricevuto per errore vogliate 
>> cortesemente darcene notizia a mezzo telefax o e-mail e distruggere il 
>> messaggio ricevuto erroneamente. Quanto precede ai fini del rispetto del 
>> D.Lgs 196/03 sulla tutela dei dati personali.
>> 
>
>
>
>
> --
> cat /etc/motd
>
> Thank you
> Indunil Jayasooriya
> http://www.theravadanet.net/
> http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala 
> Fonts
>
>
>
> --
>
>
> Via del Tiglio 45
> 56012 Calcinaia (PI)
> Tel +39058759108
> cell 340 8398772
> E-mail i...@etarom.com
> P.E.C. eta...@pec.etarom.com
>
> Non indugiare oltre!, attiva adesso la tua casella di Posta Elettronica 
> Certificata, per maggiori informazioni consulta la nostra news qui
>
>
> 
> Qualora questo messaggio fosse da Voi ricevuto per errore vogliate 
> cortesemente darcene notizia a mezzo telefax o e-mail e distruggere il 
> messaggio ricevuto erroneamente. Quanto precede ai fini del rispetto del 
> D.Lgs 196/03 sulla tutela dei dati personali.
> 




>>
>>
>>
>
>



-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts

RE: spam assassin rule to block a From address

2016-10-14 Thread Kai Risku 
Appending the modifier “:addr” to a header name will remove everything from 
that header except the first email address. If you are using an anchored regexp 
on the email address, then the From:addr test should work, i.e.

header SPAM11OctF1   From:addr ~= 
/^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i

But you are otherwise on to something there. If the airecom -address is not in 
the visible From: -line (“From: “), but instead in the Envelope sender (i.e. 
the “From “ line), then you should use the pseudoheader EnvelopeFrom in the SA 
test:

header SPAM11OctF1   EnvelopeFrom ~= 
/^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i

The EnvelopeFrom pseudoheader contains just the email address without any 
surrounding < >.

man Mail::SpamAssassin::Conf is your friend.

--
kai.ri...@arrak.fi<mailto:kai.ri...@arrak.fi> GSM  +358-40-767 8282
Oy Arrak Software Ab   http://www.arrak.fi



From: amavis-users [mailto:amavis-users-bounces+kai.risku=arrak...@amavis.org] 
On Behalf Of @lbutlr
Sent: Thursday, October 13, 2016 11:43 AM
To: amavis-users@amavis.org
Subject: Re: spam assassin rule to block a From address

On Oct 13, 2016, at 2:12 AM, Indunil Jayasooriya 
<induni...@gmail.com<mailto:induni...@gmail.com>> wrote:
what's the difference between From and From:addr ?

Isn’t From the “From “ and From:addr the “From:”?

Re: spam assassin rule to block a From address

2016-10-13 Thread Tom Hendrikx 



On 13-10-16 10:12, Indunil Jayasooriya wrote:
>>
>> You should probably also match only the address, not the full From line,
>> especially when you're anchoring:
> 
> 
> what's the difference between From and From:addr ?
> 

Considering the header:

From: Indunil Jayasooriya 

A rule "header From =~" will perform matching against the string:
"Indunil Jayasooriya "

A rule "header From:addr =~" will perform matching against the string:
"induni...@example.com"

When you're anchoring your regex, that makes a huge difference.

Kind regards,
Tom

> 
>>
>> header SPAM11OctF1 From:addr =~ /^aireco
> 
> Can you complete this ? anyway here I complete it.
> 
> 
> header SPAM11OctF1 From:addr =~
> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
> describe SPAM11OctF1 From address contains the word airecom612@
> score SPAM11OctF1 10.0
> 
> Is it OK?
> 
> 
> what are the sites to learn spam-assassin rules?
> 
> 
> anyway, I get spam mails with below addressees.
> 
> 
> bounce-mc.us8_29275787.517673-wer=mynet@mail172.atl61.mcsv.net
> ml-bounce-mc.us8_29275787.517673-hewe=mynet@mail172.atl61.mcsv.net
> 
> 
> I wrote  below  rule to block it. it does NOT seem to work.
> 
> header SPAM13OctF1 From =~ /.*bounce.*\@/i
> describe SPAM13OctF1 From address contains the word bounce.
> score SPAM13OctF1 10.0
> 
> 
> should I change from From to From:addr ?
> 
> Can you complete it?
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 

 my /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf file

 header SPAM11OctF1 From =~ 
 /(airecom612\+97d7d60a91d9695c9a4240f92d5c3cae)@/i
 describe SPAM11OctF1 From address contains the word airecom612@
 score SPAM11OctF1 10.0


>
>
> Can you post to us a source code of spam mail?


 here's the log.

 Oct 12 02:55:37 mailgw amavis[1054]: (01054-03) Passed CLEAN 
 [190.123.45.119] [190.123.45.119] 
 airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net - 
 r...@mydomain.com Message-ID: 
 97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net mail_id: 
 dOZ+MykHl9Z2 Hits: -0.047 size: 11977 queued_as: 32CE11084D 9548 ms


 Ideas are welcome.




> 12 Calcinaia (PI)
> Tel +39058759108
> cell 340 8398772
> E-mail: mauri...@etarom.com
> Assistenza: assiste...@etarom.com
> P.E.C. eta...@pec.etarom.com
>
> Non indugiare oltre!, attiva adesso la tua casella di Posta Elettronica 
> Certificata, per maggiori informazioni consulta la nostra news qui
>
>
> 
> Qualora questo messaggio fosse da Voi ricevuto per errore vogliate 
> cortesemente darcene notizia a mezzo telefax o e-mail e distruggere il 
> messaggio ricevuto erroneamente. Quanto precede ai fini del rispetto del 
> D.Lgs 196/03 sulla tutela dei dati personali.
> 




 --
 cat /etc/motd

 Thank you
 Indunil Jayasooriya
 http://www.theravadanet.net/
 http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala 
 Fonts



 --


 Via del Tiglio 45
 56012 Calcinaia (PI)
 Tel +39058759108
 cell 340 8398772
 E-mail i...@etarom.com
 P.E.C. eta...@pec.etarom.com

 Non indugiare oltre!, attiva adesso la tua casella di Posta Elettronica 
 Certificata, per maggiori informazioni consulta la nostra news qui


 
 Qualora questo messaggio fosse da Voi ricevuto per errore vogliate 
 cortesemente darcene notizia a mezzo telefax o e-mail e distruggere il 
 messaggio ricevuto erroneamente. Quanto precede ai fini del rispetto del 
 D.Lgs 196/03 sulla tutela dei dati personali.
 
>>>
>>>
>>>
>>>
> 
> 
> 




signature.asc
Description: OpenPGP digital signature

Re: spam assassin rule to block a From address

2016-10-13 Thread Maurizio Poli 

have you test this regex?:

header SPAM11OctF1 From =~ /.*airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
describe SPAM11OctF1 From address contains the word airecom612@
score SPAM11OctF1 10.0

it must work




I think that the parenthesis are not necessary and the @ must be escaped

 I sometimes use brackets to filter Subject (some times multiple
Subjects). They work.

see one rule I use below . It is for Subject with brackets. Not for From address


file /etc/mail/spamassassin/SPAM_12AUG2016_Subject_1.cf

header SPAMS1 Subject =~ /(special offer|Marketing Strategy|amazing
offer|intake|Enroll Now)/i
describe SPAMS1 Email contains the above words
score SPAMS1 9.0


anyway, I removed brackets this time. Let's see what happens now. I
think \@ is a good point I should think of.

this is my new rule


file  /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf

header SPAM11OctF1 From =~ /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
describe SPAM11OctF1 From address contains the word airecom612@
score SPAM11OctF1 10.0






^.*airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@

for check onhttps://regex101.com  you can try the regex on complete mail source 
code like this:

..
..

X-Received: by 10.194.204.198 with SMTP id la6mr8163648wjc.2.1476250191474;
  Tue, 11 Oct 2016 22:29:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.122.104 with HTTP; Tue, 11 Oct 2016 22:29:51 -0700 (PDT)
From: Indunil Jayasooriya
Date: Wed, 12 Oct 2016 10:59:51 +0530

Re: spam assassin rule to block a From address

2016-10-13 Thread Indunil Jayasooriya 
>
> You should probably also match only the address, not the full From line,
> especially when you're anchoring:


what's the difference between From and From:addr ?


>
> header SPAM11OctF1 From:addr =~ /^aireco

Can you complete this ? anyway here I complete it.


header SPAM11OctF1 From:addr =~
/^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
describe SPAM11OctF1 From address contains the word airecom612@
score SPAM11OctF1 10.0

Is it OK?


what are the sites to learn spam-assassin rules?


anyway, I get spam mails with below addressees.


bounce-mc.us8_29275787.517673-wer=mynet@mail172.atl61.mcsv.net
ml-bounce-mc.us8_29275787.517673-hewe=mynet@mail172.atl61.mcsv.net


I wrote  below  rule to block it. it does NOT seem to work.

header SPAM13OctF1 From =~ /.*bounce.*\@/i
describe SPAM13OctF1 From address contains the word bounce.
score SPAM13OctF1 10.0


should I change from From to From:addr ?

Can you complete it?










>>>
>>> my /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf file
>>>
>>> header SPAM11OctF1 From =~ 
>>> /(airecom612\+97d7d60a91d9695c9a4240f92d5c3cae)@/i
>>> describe SPAM11OctF1 From address contains the word airecom612@
>>> score SPAM11OctF1 10.0
>>>
>>>


 Can you post to us a source code of spam mail?
>>>
>>>
>>> here's the log.
>>>
>>> Oct 12 02:55:37 mailgw amavis[1054]: (01054-03) Passed CLEAN 
>>> [190.123.45.119] [190.123.45.119] 
>>> airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net - 
>>> r...@mydomain.com Message-ID: 
>>> 97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net mail_id: 
>>> dOZ+MykHl9Z2 Hits: -0.047 size: 11977 queued_as: 32CE11084D 9548 ms
>>>
>>>
>>> Ideas are welcome.
>>>
>>>
>>>
>>>
 12 Calcinaia (PI)
 Tel +39058759108
 cell 340 8398772
 E-mail: mauri...@etarom.com
 Assistenza: assiste...@etarom.com
 P.E.C. eta...@pec.etarom.com

 Non indugiare oltre!, attiva adesso la tua casella di Posta Elettronica 
 Certificata, per maggiori informazioni consulta la nostra news qui


 
 Qualora questo messaggio fosse da Voi ricevuto per errore vogliate 
 cortesemente darcene notizia a mezzo telefax o e-mail e distruggere il 
 messaggio ricevuto erroneamente. Quanto precede ai fini del rispetto del 
 D.Lgs 196/03 sulla tutela dei dati personali.
 
>>>
>>>
>>>
>>>
>>> --
>>> cat /etc/motd
>>>
>>> Thank you
>>> Indunil Jayasooriya
>>> http://www.theravadanet.net/
>>> http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala 
>>> Fonts
>>>
>>>
>>>
>>> --
>>>
>>>
>>> Via del Tiglio 45
>>> 56012 Calcinaia (PI)
>>> Tel +39058759108
>>> cell 340 8398772
>>> E-mail i...@etarom.com
>>> P.E.C. eta...@pec.etarom.com
>>>
>>> Non indugiare oltre!, attiva adesso la tua casella di Posta Elettronica 
>>> Certificata, per maggiori informazioni consulta la nostra news qui
>>>
>>>
>>> 
>>> Qualora questo messaggio fosse da Voi ricevuto per errore vogliate 
>>> cortesemente darcene notizia a mezzo telefax o e-mail e distruggere il 
>>> messaggio ricevuto erroneamente. Quanto precede ai fini del rispetto del 
>>> D.Lgs 196/03 sulla tutela dei dati personali.
>>> 
>>
>>
>>
>>



-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts

Re: spam assassin rule to block a From address

2016-10-12 Thread Indunil Jayasooriya 
>
> I think that the parenthesis are not necessary and the @ must be escaped


I sometimes use brackets to filter Subject (some times multiple
Subjects). They work.

see one rule I use below . It is for Subject with brackets. Not for From address


file /etc/mail/spamassassin/SPAM_12AUG2016_Subject_1.cf

header SPAMS1 Subject =~ /(special offer|Marketing Strategy|amazing
offer|intake|Enroll Now)/i
describe SPAMS1 Email contains the above words
score SPAMS1 9.0


anyway, I removed brackets this time. Let's see what happens now. I
think \@ is a good point I should think of.

this is my new rule


file  /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf

header SPAM11OctF1 From =~ /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
describe SPAM11OctF1 From address contains the word airecom612@
score SPAM11OctF1 10.0





>
>
> ^.*airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@
>
> for check on https://regex101.com you can try the regex on complete mail 
> source code like this:
>
> ..
> ..
>
> X-Received: by 10.194.204.198 with SMTP id la6mr8163648wjc.2.1476250191474;
>  Tue, 11 Oct 2016 22:29:51 -0700 (PDT)
> MIME-Version: 1.0
> Received: by 10.194.122.104 with HTTP; Tue, 11 Oct 2016 22:29:51 -0700 (PDT)
> From: Indunil Jayasooriya 
> Date: Wed, 12 Oct 2016 10:59:51 +0530
> Message-ID: 
>

Re: spam assassin rule to block a From address

2016-10-12 Thread Indunil Jayasooriya 
>
> are you for usage of '^' ? because the string not start with sender
> address, you can try withou it.
>


^ - start matching from the beginning of the string in regex

anyway, without it, I can try.



here's my new file ( without ^ )

my /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf file

header SPAM11OctF1 From =~
/(airecom612\+97d7d60a91d9695c9a4240f92d5c3cae)@/i
describe SPAM11OctF1 From address contains the word airecom612@
score SPAM11OctF1 10.0



>
> Can you post to us a source code of spam mail?
>

here's the log.

Oct 12 02:55:37 mailgw amavis[1054]: (01054-03) Passed CLEAN
[190.123.45.119] [190.123.45.119]
airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net -
r...@mydomain.com Message-ID:
97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net mail_id:
dOZ+MykHl9Z2 Hits: -0.047 size: 11977 queued_as: 32CE11084D 9548 ms


Ideas are welcome.




12 Calcinaia (PI)
> Tel +39058759108
> cell 340 8398772
> E-mail: mauri...@etarom.com
> Assistenza: assiste...@etarom.com
> P.E.C. eta...@pec.etarom.com
>
> Non indugiare oltre!, attiva adesso la tua casella di *P*osta *E*lettronica
> *C*ertificata, per maggiori informazioni consulta la nostra news qui
> 
>
> 
> Qualora questo messaggio fosse da Voi ricevuto per errore vogliate
> cortesemente darcene notizia a mezzo telefax o e-mail e distruggere il
> messaggio ricevuto erroneamente. Quanto precede ai fini del rispetto del
> D.Lgs 196/03 sulla tutela dei dati personali.
> 
>



-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
Fonts

Re: spam assassin rule to block a From address

2016-10-12 Thread Maurizio Poli 

I think that the parenthesis are not necessary and the @ must be escaped

^.*airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@

for check on https://regex101.com you can try the regex on complete mail 
source code like this:


..
..

X-Received: by 10.194.204.198 with SMTP id la6mr8163648wjc.2.1476250191474;
 Tue, 11 Oct 2016 22:29:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.122.104 with HTTP; Tue, 11 Oct 2016 22:29:51 -0700 (PDT)
From: Indunil Jayasooriya
Date: Wed, 12 Oct 2016 10:59:51 +0530

Re: spam assassin rule to block a From address

2016-10-12 Thread Maurizio Poli 

Hi
I'm sorry for my poor english...

are you for usage of '^' ? because the string not start with sender 
address, you can try withou it.


Can you post to us a source code of spam mail?

Maurizio


Dear list,

I get mails from below FROM address.

airecom612+97d7d60a91d9695c9a4240f92d5c3...@holistictips.net
airecom612+97d7d60a91d9695c9a4240f92d5c3...@lotushealthfix.com
airecom612+97d7d60a91d9695c9a4240f92d5c3...@amazingwellness.net
airecom612+97d7d60a91d9695c9a4240f92d5c3...@healthyseries.biz
airecom612+97d7d60a91d9695c9a4240f92d5c3...@therealizationofhealth.net


username is always airecom612+97d7d60a91d9695c9a4240f92d5c3cae .
domain name will be different.

I put below file to quarantine it. But , It does NOT work. We still get it.


my  /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf file is given below.


header SPAM11OctF1 From =~ /^(airecom612\+97d7d60a91d9695c9a4240f92d5c3cae)@/i
describe SPAM11OctF1 From address contains the word airecom612@
score SPAM11OctF1 10.0



I went to https://regex101.com

the above line  (i.e -
/^(airecom612\+97d7d60a91d9695c9a4240f92d5c3cae)@/i  ) matches.

Then, Why I still get these? any idea?

hope to hear from you.






--


Via del Tiglio 45 56012 Calcinaia (PI)
Tel +39058759108
cell 340 8398772
E-mail: mauri...@etarom.com 
Assistenza: assiste...@etarom.com 
P.E.C. eta...@pec.etarom.com 

	Non indugiare oltre!, attiva adesso la tua casella di *P*osta 
*E*lettronica *C*ertificata, per maggiori informazioni consulta la 
nostra news qui 
 






Qualora questo messaggio fosse da Voi ricevuto per errore vogliate 
cortesemente darcene notizia a mezzo telefax o e-mail e distruggere il 
messaggio ricevuto erroneamente. Quanto precede ai fini del rispetto del 
D.Lgs 196/03 sulla tutela dei dati personali.