On 28 Sep 2016, at 11:20, Nicola Piazzi wrote:
But I need the regex syntax to search at least 3 words that match of 4
words given
This can be done with a SA meta rule:
header __FOO_IN_SUBJ Subject =~ /foo/i
header __BAR_IN_SUBJ Subject =~ /bar/i
header __BAZ_IN_SUBJ Subject =~ /baz/i
header __BIGNUM_IN_SUBJ Subject =~ /\d{8}/
meta __FOO_IN_SUBJ + __BAR_IN_SUBJ + __BAZ_IN_SUBJ + __BIGNUM_IN_SUBJ >
2
I see 34 such additive rules in the stock ruleset.
You could instead use a syntax like this in one rule:
header 3_OF_4_BAD_RES Subject =~ /(\b(foo|bar|baz|\d{8,})\b.*){3}/i
However, there is a small risk of a pathologically long Subject header
causing that to be very slow. If you want to do something like that in a
body rule you'd have a much larger risk of such slowness (especially if
you scan large messages) so you might prefer something like this:
body 3_OF_4_BAD_RES /(\b(foo|bar|baz|\d{8,})\b.{,50}){3}/i
The single-RE form is easier to translate into the context of something
other than SA rules (e.g. a Plugin) but it is less easily adapted to
other cases.
