, March 20, 2024 10:02 AM
To: users@spamassassin.apache.org
Subject: RE: Help with rule matching when it shouldn't
I want to catch “yahoo” anywhere in the header so that it matches if its in the
name or in the address. So I would want to match
ya...@gmail.com<mailto:ya...@gmail.com>
Reg
eturn path does
not include yahoo.com, match my rule.
From: Jimmy
Sent: Tuesday, March 19, 2024 7:45 PM
To: users@spamassassin.apache.org
Subject: Re: Help with rule matching when it shouldn't
The correct syntax for the header rule should be:
header __FROM_ADDRESS From:addr =~ /\@yahoo\.com/i
On 20.03.24 06:44, Jimmy wrote:
Regarding the example provided, the "__RETURNPATH_IS" rule should indeed be
triggered since it matches "yahoo.com" in the return-path. If you're
uncertain about the intended behavior of the rules, please clarify the
requirements so we can adjust the rules
The correct syntax for the header rule should be:
header __FROM_ADDRESS From:addr =~ /\@yahoo\.com/i
This rule will specifically match email addresses containing "@yahoo.com"
while excluding addresses like "ya...@gmail.com".
Regarding the example provided, the "__RETURNPATH_IS" rule should
Could someone help me figure out why my custom rule is matching when it should
not be matching?
This is my current setup:
header __FROM_ADDRESS From =~ /yahoo/i
header __RETURNPATH_IS Return-Path !~ /yahoo.com$/i
meta NOT_IT (__FROM_ADDRESS && __RETURNPATH_IS)
describe NOT_IT
On Mon, 5 Jun 2023, jacklistm...@gmail.com wrote:
header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/
Missing a period in that one.
meta FROM_CLIENT_TEST from FROM_CLIENT_EMAIL && FROM_CLIENT_IP
Extra "from" already noted.
If you're looking to whitelist specific senders coming from
On 2023-06-06 at 01:32:14 UTC-0400 (Tue, 6 Jun 2023 08:32:14 +0300)
Henrik K via users
is rumored to have said:
On Tue, Jun 06, 2023 at 12:12:10AM -0400, Bill Cole wrote:
Escape the @ with a \
SA uses Perl, so you need to escape %, @, and $ in regular
expressions.
Perl regular expressions
On 05.06.23 22:04, jacklistm...@gmail.com wrote:
I know this isn't the best method, I have to learn some of the previous
suggestions, but I would like to get this rule to work.
Not sure where I went wrong.
header FROM_CLIENT_EMAIL From =~ /client@client\.com/i
I recommend to use From:addr,
@spamassassin.apache.org
Subject: Re: Help with rule
> meta FROM_CLIENT_TEST from FROM_CLIENT_EMAIL && FROM_CLIENT_IP
Is that a typo when you were making this mail, or is it actually how the
line is coded? There is an extra "from" there.
Even if you fix that, you won't get the res
On Tue, Jun 06, 2023 at 12:12:10AM -0400, Bill Cole wrote:
>
> Escape the @ with a \
> SA uses Perl, so you need to escape %, @, and $ in regular expressions.
Perl regular expressions does not mean it's parsed as Perl code, no need to
quote such things on any remotely modern SA version.
On 2023-06-05 at 22:04:47 UTC-0400 (Mon, 5 Jun 2023 22:04:47 -0400)
is rumored to have said:
Hello All,
I know this isn't the best method, I have to learn some of the
previous
suggestions, but I would like to get this rule to work.
Not sure where I went wrong.
header
> meta FROM_CLIENT_TEST from FROM_CLIENT_EMAIL && FROM_CLIENT_IP
Is that a typo when you were making this mail, or is it actually how the line
is coded? There is an extra "from" there.
Even if you fix that, you won't get the results you expect. Both
FROM_CLIENT_EMAIL and FROM_CLIENT_IP will
Hello All,
I know this isn't the best method, I have to learn some of the previous
suggestions, but I would like to get this rule to work.
Not sure where I went wrong.
header FROM_CLIENT_EMAIL From =~ /client@client\.com/i
header FROM_CLIENT_IP Received =~ /from 138\.31\230\.222/
meta
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any
Untested, but try
uri EXECUTABLE_WEBSITE/\.(?:exe|scr|pif)$/i
Loren
- Original Message -
From: Dave Koontz [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Sent: Saturday, February 23, 2008 6:52 AM
Subject: Please help with rule
I am still getting some Storm Worm
On Sat, February 23, 2008 15:52, Dave Koontz wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone
--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz [EMAIL PROTECTED]
wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule
Thanks all for the info, the uri check is much better.
Joseph you were absolutely correct about it catching too wide. I modified
it to pattern check the end only and it now works a treat!
uri DANGEROUS_URL/\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i
describe DANGEROUS_URLURL
-Original Message-
From: Dave Koontz [mailto:[EMAIL PROTECTED]
Sent: Sunday, 24 February 2008 5:09 p.m.
To: users@spamassassin.apache.org
Subject: Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm trying to flag a type of spam that seems to be slipping through with
a very low score
The common factor is that all of the messages have something linke
Just type www [.] pillking [.] org
Just type FONT color=#ffwww/FONT [.]
On Tue, 10 Apr 2007, Steven Stern wrote:
Just type www [.] pillking [.] org
Just type FONT color=#ffwww/FONT [.]
STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT
color=#fforg/FONT/FONT
Just type www [dot] pilldoc [dot] org
I suspect a rule that looks for
On Tue, 10 Apr 2007, John D. Hardin wrote:
On Tue, 10 Apr 2007, Steven Stern wrote:
Just type www [.] pillking [.] org
Just type FONT color=#ffwww/FONT [.]
STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT
color=#fforg/FONT/FONT
Just type www [dot] pilldoc
Steven Stern wrote:
I suspect a rule that looks for www*pill*org would work. How do I turn
that into a regex?
Basic: /www.*pill.*org/
Slightly optimized: /www.{1,30}pill.{1,30}org/
.matches any character.
*means anywhere 0 or more of the preceding item, so
.*
On 5/23/2006 2:51 AM, Benny Pedersen wrote:
http://wiki.apache.org/spamassassin/WebRedirectPlugin
there is a slight config error on the page
[WWW] http://people.apache.org/~dos/sa-plugins/3.1/WebRedirect.cf
[WWW] http://people.apache.org/~dos/sa-plugins/3.1/WebRedirect.pm
in the cf file the
I just grepped my entire mail hierarchy for .geocities.com and the only
legitimate stuff I see either uses the www or uk subdomains. How can I
write a rule that matches on that? If it were just one subdomain I could
write one rule for all subdomains and one for just the one subdomain and
use a
Kenneth Porter wrote:
I just grepped my entire mail hierarchy for .geocities.com and the
only legitimate stuff I see either uses the www or uk subdomains. How
can I write a rule that matches on that? If it were just one
subdomain I could write one rule for all subdomains and one for just
the
On Monday, May 22, 2006 12:28 PM -0400 Bowie Bailey [EMAIL PROTECTED]
wrote:
I assume you mean www.geocites.com and uk.geocities.com, right?
Try this:
/(?:www|uk)\.geocities\.com/
Add other anchors as appropriate...
Doh! That was too easy! :P
BTW, in my corpus the only legit use of
On Montag, 22. Mai 2006 18:28 Bowie Bailey wrote:
/(?:www|uk)\.geocities\.com/
Or the full line could be:
uri ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com}
describe ZMIgeocitiesGOOD probably good geocities site
scoreZMIgeocitiesGOOD -1.2
or whatever score you want to give them.
mfg
On Monday, May 22, 2006 7:24 PM +0200 Michael Monnerie
[EMAIL PROTECTED] wrote:
Or the full line could be:
uri ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com}
describe ZMIgeocitiesGOOD probably good geocities site
scoreZMIgeocitiesGOOD -1.2
or whatever score you want to give them.
Kenneth Porter wrote:
On Monday, May 22, 2006 7:24 PM +0200 Michael Monnerie
[EMAIL PROTECTED] wrote:
Or the full line could be:
uri ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com}
describe ZMIgeocitiesGOOD probably good geocities site
scoreZMIgeocitiesGOOD -1.2
or
Bowie Bailey wrote:
Kenneth Porter wrote:
Alternatively, is there regex syntax to match all patterns *except*
the one given? Can I somehow express all geocities.com subdomains
except www and uk as a regex?
That is a bit trickier because Perl does not currently support
variable length
[EMAIL PROTECTED] wrote:
Bowie Bailey wrote:
Kenneth Porter wrote:
Alternatively, is there regex syntax to match all patterns
*except* the one given? Can I somehow express all geocities.com
subdomains except www and uk as a regex?
That is a bit trickier because Perl does not
As it turns out, I had a SARE rule installed that should catch these, but I
found some spams leaking through due to the insecure dependency bug (bug
3838), even though I'm running Perl 5.8.3. I'm applying Daryl C. W.
O'Shea's patch for that bug.
Here's the SARE rule:
From: [EMAIL PROTECTED]
Bowie Bailey wrote:
Kenneth Porter wrote:
Alternatively, is there regex syntax to match all patterns *except*
the one given? Can I somehow express all geocities.com subdomains
except www and uk as a regex?
That is a bit trickier because Perl does not currently support
From: Justin Mason [EMAIL PROTECTED]
Kenneth Porter writes:
As it turns out, I had a SARE rule installed that should catch these, but I
found some spams leaking through due to the insecure dependency bug (bug
3838), even though I'm running Perl 5.8.3. I'm applying Daryl C. W.
O'Shea's patch
On 5/22/2006 6:14 PM, Kenneth Porter wrote:
As it turns out, I had a SARE rule installed that should catch these,
but I found some spams leaking through due to the insecure dependency
bug (bug 3838), even though I'm running Perl 5.8.3. I'm applying Daryl
C. W. O'Shea's patch for that bug.
37 matches
Mail list logo