[MBF] Re: Help with PCRE

[Andy Schmidt]

Uh - okay. The problem is NOT the order (or the fact that the last item 
wouldn't have a whitespace character, which could be handled easily).

The real problem is that a match will ONLY be made if every single "token" in 
your string  is actually included in your list of alternatives. The problem is 
that I see now that you have OTHER tokens in your string that are NOT in your 
list - which your RegEx does not permit. 

The following works with all your examples:

(((\S*\s)*(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS)\s?){4,})

This is NOT matched, because there are not four of them:
PSKY IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB  

This IS matching PSKY, NEWERDOMAIN, ROUTING, SORBS:
PSKY NEWERDOMAIN ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO

This is NOT matched, because it only matches PSKY, ROUTING and SORBS:
PSKY ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO

Please note, that at present it will only match FULL words - so " BADHELO " is 
NOT a match for " HELO ", " BADHEADERS " is NOT a match for " HEADERS ", etc.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 7:25 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

OK this is working now, sort of:

(?:LASHBACK\s|PSKY\s|NEWERDOMAIN\s|HEADERS\s|ROUTING\s|MAILSPIKE-L[1-5\s|HELO\s|SORBS\s|SPAMCOP\s|DNS\s){4,})

Here are examples
PSKY IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB 

That is in the Delude Logs. BUT it only works if there are no breaks.

SO
PSKY NEWERDOMAIN ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO Only matches the first 4 but not 
BADHEADERS SORBS BADHELO

PSKY ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO DOES NOT WORK Finds no matches since 
it does not find 4 in a row of the above choices, even though the entire string 
contains 6 of the above choices.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Help with PCRE

[John Tolmachoff]

I am trying to create a Regex filter that will only trigger if 4 or more tests 
have failed. This is what I have so far but it is not working:

(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})

It is triggering if only one has failed. I am trying to have it only trigger if 
4 or more have failed.

Any suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Help with PCRE

[David Barker]

Not sure it can be done regex, hoping someone has the answer, but if not this 
is how I would do it in Declude. Break the regex into separate lines as in the 
example below and create a new filter with the declude directive.

--
MINWEIGHTTOFAIL 4

TESTSFAILED 1   PCRE (?i:LASHBACK)
TESTSFAILED 1   PCRE (?i:PSKY)
TESTSFAILED 1   PCRE (?i:NEWERDOMAIN)
TESTSFAILED 1   PCRE (?i:HEADERS)
TESTSFAILED 1   PCRE (?i:ROUTING)
TESTSFAILED 1   PCRE (?i:MAILSPIKE-L)
--


David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 12:47 PM
To: community@mailsbestfriend.com
Subject: [MBF] Help with PCRE

I am trying to create a Regex filter that will only trigger if 4 or more tests 
have failed. This is what I have so far but it is not working:

(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})

It is triggering if only one has failed. I am trying to have it only trigger if 
4 or more have failed.

Any suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Help with PCRE

[David Barker]

Oooo, didn't think of doing it that way. Thought it only worked with letters. 
So test to be sure. Just to correct the syntax Declude, you want to use the 
following:

(?:(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,})

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Andy Schmidt
Sent: Friday, August 26, 2016 1:26 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

(?:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,}

Move the quantifier OUTSIDE your token list.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 1:47 PM
To: community@mailsbestfriend.com
Subject: [MBF] Help with PCRE

I am trying to create a Regex filter that will only trigger if 4 or more tests 
have failed. This is what I have so far but it is not working:

(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})

It is triggering if only one has failed. I am trying to have it only trigger if 
4 or more have failed.

Any suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Declude and DKIM

[David Barker]

Not in the existing Declude. 

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Michael Cummins
Sent: Friday, August 26, 2016 11:31 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Declude and DKIM

So does SM, I reckon, but it would be nice to take care of it in Declude with 
all my other tools.

Are there plans to add it?

- Michael Cummins

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Andy Schmidt
Sent: Friday, August 26, 2016 11:48 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Declude and DKIM

No, but IMail has that ability natively.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Michael Cummins
Sent: Friday, August 26, 2016 11:16 AM
To: community@mailsbestfriend.com
Subject: [MBF] Declude and DKIM

Does Declude evaluate DKIM signatures for pass/fail validity?

- Michael Cummins


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Declude and DKIM

[David Barker]

No Declude does not evaluate DKIM.  If you are running SmarterMail we suggest 
using DKIM at the SmarterMail level.

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Michael Cummins
Sent: Friday, August 26, 2016 10:16 AM
To: community@mailsbestfriend.com
Subject: [MBF] Declude and DKIM

Does Declude evaluate DKIM signatures for pass/fail validity?

- Michael Cummins



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Declude and DKIM

[Michael Cummins]

Does Declude evaluate DKIM signatures for pass/fail validity?

- Michael Cummins



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Help with PCRE

[Andy Schmidt]

What is a sample of the actual string you are searching? Are there any 
separation characters we need to allow for?


-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 7:02 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

That is not working either. It is wanting them to be consecutive

-Original Message-
From: "David Barker" 
Sent: Friday, August 26, 2016 11:32am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

Oooo, didn't think of doing it that way. Thought it only worked with letters. 
So test to be sure. Just to correct the syntax Declude, you want to use the 
following:

(?:(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,})

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Andy Schmidt
Sent: Friday, August 26, 2016 1:26 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

(?:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,}

Move the quantifier OUTSIDE your token list.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 1:47 PM
To: community@mailsbestfriend.com
Subject: [MBF] Help with PCRE

I am trying to create a Regex filter that will only trigger if 4 or more tests 
have failed. This is what I have so far but it is not working:

(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})

It is triggering if only one has failed. I am trying to have it only trigger if 
4 or more have failed.

Any suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Help with PCRE

[John Tolmachoff]

That is not working either. It is wanting them to be consecutive

-Original Message-
From: "David Barker" 
Sent: Friday, August 26, 2016 11:32am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

Oooo, didn't think of doing it that way. Thought it only worked with letters. 
So test to be sure. Just to correct the syntax Declude, you want to use the 
following:

(?:(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,})

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Andy Schmidt
Sent: Friday, August 26, 2016 1:26 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

(?:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,}

Move the quantifier OUTSIDE your token list.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 1:47 PM
To: community@mailsbestfriend.com
Subject: [MBF] Help with PCRE

I am trying to create a Regex filter that will only trigger if 4 or more tests 
have failed. This is what I have so far but it is not working:

(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})

It is triggering if only one has failed. I am trying to have it only trigger if 
4 or more have failed.

Any suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Help with PCRE

[John Tolmachoff]

OK this is working now, sort of:

(?:LASHBACK\s|PSKY\s|NEWERDOMAIN\s|HEADERS\s|ROUTING\s|MAILSPIKE-L[1-5\s|HELO\s|SORBS\s|SPAMCOP\s|DNS\s){4,})

Here are examples 
PSKY IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB 

That is in the Delude Logs. BUT it only works if there are no breaks.

SO
PSKY NEWERDOMAIN ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO
Only matches the first 4 but not BADHEADERS SORBS BADHELO

PSKY ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO
DOES NOT WORK Finds no matches since it does not find 4 in a row of the above 
choices, even though the entire string contains 6 of the above choices.


-Original Message-
From: "Andy Schmidt" 
Sent: Friday, August 26, 2016 4:05pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

What is a sample of the actual string you are searching? Are there any 
separation characters we need to allow for?


-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 7:02 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

That is not working either. It is wanting them to be consecutive

-Original Message-
From: "David Barker" 
Sent: Friday, August 26, 2016 11:32am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

Oooo, didn't think of doing it that way. Thought it only worked with letters. 
So test to be sure. Just to correct the syntax Declude, you want to use the 
following:

(?:(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,})

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Andy Schmidt
Sent: Friday, August 26, 2016 1:26 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

(?:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,}

Move the quantifier OUTSIDE your token list.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 1:47 PM
To: community@mailsbestfriend.com
Subject: [MBF] Help with PCRE

I am trying to create a Regex filter that will only trigger if 4 or more tests 
have failed. This is what I have so far but it is not working:

(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})

It is triggering if only one has failed. I am trying to have it only trigger if 
4 or more have failed.

Any suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: