Thanks for your response again Doug. Just to recap, this is what i think's been learnt (please correct me if i'm wrong or confused).
With respect to the following from quarrantine-attachments.txt Pickles.*Breakfast Virus-Subject: Fake Example Pickles virus # # will match "Subject: Pickles for Breakfast" - and # not "Subject: Pickles - where did you go?" Qmail-Scanner checks the entire message including headers and body (for some stupid reason i originally thought it only checked the headers) *Peter*.*<TAB>Virus-Subject: will look for Subject: anythingPeteranything in a message which means that if Peter appears anywhere in the message after Subject: it will be quarantined (bad). If i just want to check for Peter in the subject i should have used Peter*.*<TAB>Virus-Subject:<TAB>description (added <TAB>description because that's the expected format), except this would only look for subjects starting with Peter, or Subject: Peter anywhere in the message. So ... If i use (?i).*(Peter).*<TAB>Virus-Subject:<TAB>description this will look for Peter anywhere in the subject only because the regex string is now correct (correct meaning matches what i want ie: check for Peter anywhere in the subject only). Interestingly some 'wrongly' quarantined messages had ms word and pdf attachments with words i had as *word*.* in quarantine-attachments.txt, so Qmail-Scanner must be able to see what's in these attachments. I checked all the 'wrongly' quarantined messages and they all contained at leaset one of the *word*.* s in quarantine-attachments.txt somewhere in the message (mystery solved), so i should now refer to these messages as 'correctly' quarantined. Thanks again. I'll now go and modify quarantine-attachments.txt and see how it goes. Andrew. yes, the filters on source forge may make communication of Perlscan difficult :( Remote host said: 550-This message matches a blacklisted regular expression .... Andrew van Tilburg wrote: > Ok, thanks Doug. The quarrantine-attachments.txt file is attached. I had to > send to your address as the [EMAIL PROTECTED] mail > server complained about blacklisted regular expressions. > > Andrew. all your additions are 'badly' formed (in multiple ways). As is noted in the quarantine-attachments.txt file, the proper format is: # Format: three columns # filename<TAB>size (in bytes)<TAB>Description of virus/whatever # OR: # string<TAB>Header<TAB>Description of virus/whatever your entries are (for example): *Yiagra*.* Virus-Subject: (Y should be v in above...need to get past filter) are missing the DESCRIPTION (not critical but...) and the regex's also needs attention. A few examples to accomplish what it looks like you're trying to do (again...letter Y used in obvious places should be replaced): (?i).*(Yiagra|Y i a g r a|Y1agra|Ylagra).*<TAB>Virus-Subject:<TAB>e-crap (?i).*(Yhentermine|Yhenterm1ne|Yhentermlne).*<TAB>Virus-Subject:<TAB>e-crap (?i).*(Yanax|Y a n a x).*<TAB>Virus-Subject:<TAB>e-crap BTW...the reason the example email you sent was "caught" is likely due to the fact that you have this rule: *Peter*.* Virus-Subject: and the email contains: Dear Peter, ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
