Am 22.02.2016 um 12:45 schrieb Matus UHLAR - fantomas:
Am 21.02.2016 um 19:08 schrieb RW:
[90-100] represents a single character. You are specifying 9 or the
range 0-1 with two redundant 0 characters on the end. If you meant 90
to 100 inclusive, you need something like:
'^127\.0\.4\.(9[0-9]|
Am 21.02.2016 um 19:08 schrieb RW:
[90-100] represents a single character. You are specifying 9 or the
range 0-1 with two redundant 0 characters on the end. If you meant 90
to 100 inclusive, you need something like:
'^127\.0\.4\.(9[0-9]|100)$'
On 21.02.16 19:20, Reindl Harald wrote:
thans, ac
Am 21.02.2016 um 19:08 schrieb RW:
On Sun, 21 Feb 2016 18:23:02 +0100
Reindl Harald wrote:
header CUST_DNSWL_2
eval:check_rbl('cust35-lastexternal','score.senderscore.com.','^127\.0\.4\.[90-100]$')
[90-100] represents a single character. You are specifying 9 or the
range 0-1 with two re
On Sun, 21 Feb 2016 18:23:02 +0100
Reindl Harald wrote:
> header CUST_DNSWL_2
> eval:check_rbl('cust35-lastexternal','score.senderscore.com.','^127\.0\.4\.[90-100]$')
[90-100] represents a single character. You are specifying 9 or the
range 0-1 with two redundant 0 characters on the end. If
On 2/18/2014 1:26 PM, Marc Perkel wrote:
On 2/18/2014 9:32 AM, John Hardin wrote:
On Tue, 18 Feb 2014, Marc Perkel wrote:
Trying to do something complex and not sure how it's done. What I'm
looking for is to combine 2 conditions in a single regular expression
so that both have to be true for a
On 2/18/2014 9:32 AM, John Hardin wrote:
On Tue, 18 Feb 2014, Marc Perkel wrote:
Trying to do something complex and not sure how it's done. What I'm
looking for is to combine 2 conditions in a single regular expression
so that both have to be true for a match. Yes - I know I can make 2
SA ru
On 2/18/2014 12:22 PM, Marc Perkel wrote:
Trying to do something complex and not sure how it's done. What I'm
looking for is to combine 2 conditions in a single regular expression
so that both have to be true for a match. Yes - I know I can make 2 SA
rules and combine them but I bet there's a w
On Tue, 18 Feb 2014, Marc Perkel wrote:
Trying to do something complex and not sure how it's done. What I'm looking
for is to combine 2 conditions in a single regular expression so that both
have to be true for a match. Yes - I know I can make 2 SA rules and combine
them but I bet there's a wa
On Tue, 13 Nov 2012, Alex wrote:
So far working good. Caught 4620 spams since sunday morning with these mixed
case rules.
Can you really make scoring decisions based on a mixed-case URI? Do
you have it as part of a meta with the other rules that John provided?
I'm looking at John's sandbox en
Hi,
>> This is what you want:
>>
>> uri URI_PROTO_MC /^(?!(?-i:[Hh]ttps?:))https?:/i
>>
>> The string inside the parentheses is what you want to _not_ hit, and that
>> part is _not_ case-insensitive, even though the rest of the expression _is_
>> case-insensitive.
>>
>> Also, for the TLD rule:
On Tue, 13 Nov 2012, Marc Perkel wrote:
So far working good. Caught 4620 spams since sunday morning with these mixed
case rules.
Cool.
I added this as a separate rule.
/^(?!(?-i:[Hh]ttps?:\/\/www))https?:\/\/www/i
Found some cases where the HTTP was lower case but the WWW was mixed.
I wi
On 11/10/2012 11:13 AM, John Hardin wrote:
On Sat, 10 Nov 2012, Marc Perkel wrote:
Just a thought, I changed this:
uri URI_PROTO_MC /^(?!(?-i:https?:))https?:/i
into this:
uri URI_PROTO_MC /^(?!(?-i:ttps?:))ttps?:/i
Some people capitalize the H - but the rest of it being mixed case
sh
On Sat, 10 Nov 2012, Marc Perkel wrote:
Just a thought, I changed this:
uri URI_PROTO_MC /^(?!(?-i:https?:))https?:/i
into this:
uri URI_PROTO_MC /^(?!(?-i:ttps?:))ttps?:/i
Some people capitalize the H - but the rest of it being mixed case should be
100% accurate.
That breaks it. Note
That should have been:
uri URI_PROTO_MC /^[Hh](?!(?-i:ttps?:))ttps?:/i
--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400
On 11/10/2012 10:51 AM, John Hardin wrote:
On Sat, 10 Nov 2012, Marc Perkel wrote:
What would you have to do to show the URI in the description?
...it would have to be a plugin. There's no general-purpose model for
putting a capturing expression into a rule and having the captured
match ap
On Sat, 10 Nov 2012, Marc Perkel wrote:
What would you have to do to show the URI in the description?
...it would have to be a plugin. There's no general-purpose model for
putting a capturing expression into a rule and having the captured match
appear in the description, and if there was the
I think your original solution is good enough. I'm testing it now. What
would you have to do to show the URI in the description?
On 11/10/2012 10:36 AM, John Hardin wrote:
On Sat, 10 Nov 2012, Marc Perkel wrote:
On 11/10/2012 8:57 AM, John Hardin wrote:
How much are you seeing these in r
On Sat, 10 Nov 2012, Marc Perkel wrote:
On 11/10/2012 8:57 AM, John Hardin wrote:
How much are you seeing these in real traffic?
I'm seeing a lot of these. They are coming from stolen Yahoo accounts from
back when Yahoo leaked their data base. They appear to come from friends of
mine.
Oh
Actually - I think that will do as is. I'm going to test it.
Thanks for your help.
On 11/10/2012 8:57 AM, John Hardin wrote:
uri URI_PROTO_MC /^(?!(?-i:https?:))https?:/i
--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-
On 11/10/2012 8:57 AM, John Hardin wrote:
On Sat, 10 Nov 2012, Marc Perkel wrote:
Need a rule to catch this:
HtTp://goOGleplAcESSEOopTimiZaTIonx.cOm
Mixed case links
Mixed-case protocol:
uri URI_PROTO_MC /^(?!(?-i:https?:))https?:/i
Note: this _will_trigger on HTTP and HTTPS but I e
On Sat, 10 Nov 2012, Marc Perkel wrote:
Need a rule to catch this:
HtTp://goOGleplAcESSEOopTimiZaTIonx.cOm
Mixed case links
Mixed-case protocol:
uri URI_PROTO_MC /^(?!(?-i:https?:))https?:/i
Note: this _will_trigger on HTTP and HTTPS but I expect they are rare in
legitimate URIs
Mi
I meant a rule to catch mixed case URIs in general. That was just one
example.
On 11/10/2012 7:44 AM, dar...@chaosreigns.com wrote:
On 11/10, Marc Perkel wrote:
Need a rule to catch this:
HtTp://goOGleplAcESSEOopTimiZaTIonx.cOm
body GOOGLEMIXED /HtTp:\/\/goOGleplAcESSEOopTimiZaTIonx.cOm/
Un
On 11/10, Marc Perkel wrote:
> Need a rule to catch this:
>
> HtTp://goOGleplAcESSEOopTimiZaTIonx.cOm
body GOOGLEMIXED /HtTp:\/\/goOGleplAcESSEOopTimiZaTIonx.cOm/
Untested, because I kind of expect that's not actually what you want. If
you want something to match things that look similar to thi
Adam Katz wrote:
% grep html_text_match..comment 20_html_tests.cf
I hadn't known about that function until I saw Henrik's replies last
week, so it would have been hard to search for it.
Any more that 512 chars isn't going to be helpful but will end up being
computationally expensive (I've p
On Fri, Apr 06, 2012 at 07:07:18PM +0300, Henrik K wrote:
> On Fri, Apr 06, 2012 at 08:40:08AM -0700, Adam Katz wrote:
> >
> > Try this:
> >
> > body OVERSIZE_COMMENT eval:html_text_match('comment',
> > ').{512,}-->')
>
> No. See what I already posted.
Btw I put few test rules to my sandbox:
On Fri, Apr 06, 2012 at 08:40:08AM -0700, Adam Katz wrote:
>
> Try this:
>
> body OVERSIZE_COMMENT eval:html_text_match('comment',
> ').{512,}-->')
No. See what I already posted.
On 04/02/2012 09:40 AM, Kris Deugau wrote:
> Can anyone point out what bit of stupidity I'm committing in trying
> to use this:
>
> rawbody OVERSIZE_COMMENTm|).{32000,}|s
>
> to match messages that are mostly very very long HTML comment(s)?
>
> Testing the same regex against the whole ra
On Tue, Apr 03, 2012 at 05:25:57PM -0400, Kris Deugau wrote:
> Henrik K wrote:
> >This only checks the "main" message body that SA uses. If you want to check
> >_all_ mime parts, here's a quick plugin:
> >
> >http://sa.hege.li/HTMLComments.pm
>
> Hm. Does check_html_comment_length get each tag al
Henrik K wrote:
On Mon, Apr 02, 2012 at 12:40:27PM -0400, Kris Deugau wrote:
Can anyone point out what bit of stupidity I'm committing in trying
to use this:
rawbody OVERSIZE_COMMENTm|).{32000,}|s
to match messages that are mostly very very long HTML comment(s)?
Testing the same regex
On Tue, Apr 03, 2012 at 11:00:56PM +0300, Henrik K wrote:
> On Mon, Apr 02, 2012 at 12:40:27PM -0400, Kris Deugau wrote:
> > Can anyone point out what bit of stupidity I'm committing in trying
> > to use this:
> >
> > rawbody OVERSIZE_COMMENTm|).{32000,}|s
> >
> > to match messages that a
On Mon, Apr 02, 2012 at 12:40:27PM -0400, Kris Deugau wrote:
> Can anyone point out what bit of stupidity I'm committing in trying
> to use this:
>
> rawbody OVERSIZE_COMMENTm|).{32000,}|s
>
> to match messages that are mostly very very long HTML comment(s)?
>
> Testing the same regex ag
Bowie Bailey wrote:
Try using a string that's longer than 320 characters that starts with a
short comment.
i.e.:' blah blah blah blah.'
This is where your original version will fail. Your original regex
translates as "a string starting with a comment opener followed by at
least 3200 c
[Somewhat OT]
In general, I would be very wary of any regex that has an unbounded
quantifier like +, * or {32000,}
If all you care about is matching something followed by *at least* 32000
copies of something else, you should use:
/something(?:something_else){32000}/
After all, once you s
On 4/2/2012 6:03 PM, Kris Deugau wrote:
>> On 4/2/2012 12:58 PM, Stephane Chazelas wrote:
>>> Don't know about the spamassassin issue, but that regexp
>>> matches".
>>>
>>> ITYM
>>>
>>> m|).){32000,}|s
>>>
>>> That is you need to look ahead at each character of the sequence
>>> to look for the clos
2012-04-02 12:40:27 -0400, Kris Deugau:
Can anyone point out what bit of stupidity I'm committing in trying
to use this:
rawbody OVERSIZE_COMMENTm|).{32000,}|s
to match messages that are mostly very very long HTML comment(s)?
I've found one way to handle this; use "full" instead of "
On 4/2/2012 12:58 PM, Stephane Chazelas wrote:
> 2012-04-02 12:40:27 -0400, Kris Deugau:
>> Can anyone point out what bit of stupidity I'm committing in trying
>> to use this:
>>
>> rawbody OVERSIZE_COMMENTm|).{32000,}|s
>>
>> to match messages that are mostly very very long HTML comment(s)
2012-04-02 12:40:27 -0400, Kris Deugau:
> Can anyone point out what bit of stupidity I'm committing in trying
> to use this:
>
> rawbody OVERSIZE_COMMENTm|).{32000,}|s
>
> to match messages that are mostly very very long HTML comment(s)?
>
> Testing the same regex against the whole raw m
Adam Katz wrote:
> Getting back to a viable solution to your actual spam problem...
>
>> Adam Katz wrote:
>>> How about this rule instead:
>>>
>>> blacklist_from *@regionstargpsupdates.com
>
> On 04/21/2011 04:37 PM, Kevin Miller wrote:
>> Yes, but then I'm playing whack-a-mole. Looking at the
Getting back to a viable solution to your actual spam problem...
> Adam Katz wrote:
>> How about this rule instead:
>>
>> blacklist_from *@regionstargpsupdates.com
On 04/21/2011 04:37 PM, Kevin Miller wrote:
> Yes, but then I'm playing whack-a-mole. Looking at the spam in html
> format (i.e.,
On 04/22/2011 07:02 AM, Joseph Brennan wrote:
> I'd be cautious with this.
>
> I have tried scoring for multiple and also for more than ten
> closing in a row, but unless you score very low, you'll get
> false positives. Unfortunately some legitimate software products
> translate their native
On 04/21/2011 05:22 PM, John Hardin wrote:
> On Thu, 21 Apr 2011, Adam Katz wrote:
>
>> rawbody LOCAL_5X_BR_TAGS /(?:[\s\r\n]{0,4}){5}/mi
>
> ...when does \s{0,4} not match the same text as [\s\r\n]{0,4} ?
>
> (i.e. \r and \n are whitespace, no?)
I believe they are identical assuming /msi fla
On Thu, 21 Apr 2011 15:37:02 -0800, Kevin Miller
>>> body CBJ_GiveMeABreak /\[""]{5,}/
>>> describe CBJ_GiveMeABreak Messages with multiple consecutave break
>>> characters score CBJ_GiveMeABreak 0.01
> I'm wading through it, trying to understand it all. Printed some regex
> tutor
On 4/21/2011 7:47 PM, Kevin Miller wrote:
>
> Great. I've changed my rule to that, and am going to look at Adam's somewhat
> enhanced version to understand what all it's doing. To wit:
> rawbody LOCAL_5X_BR_TAGS /(?:[\s\r\n]{0,4}){5}/mi
It matches:
or followed by 0 to 4 whitespace or ret
I'd be cautious with this.
I have tried scoring for multiple and also for more than ten
closing in a row, but unless you score very low, you'll get
false positives. Unfortunately some legitimate software products
translate their native format into HTML with ugly code like that.
It could be th
On Thu, 2011-04-21 at 16:08 -0800, Kevin Miller wrote:
> Karsten Bräckelmann wrote:
> > That should do the trick indeed.
> >
> > After this, I strongly suggest to carefully re-read the entire
> > thread, and read some docs specifically about the points raised. That
> > includes RE peculiarities [1
On Thu, 21 Apr 2011, Adam Katz wrote:
rawbody LOCAL_5X_BR_TAGS /(?:[\s\r\n]{0,4}){5}/mi
...when does \s{0,4} not match the same text as [\s\r\n]{0,4} ?
(i.e. \r and \n are whitespace, no?)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALa
Karsten Bräckelmann wrote:
> On Thu, 2011-04-21 at 15:47 -0800, Kevin Miller wrote:
>> Karsten Bräckelmann wrote:
>>> What you want. The string '', repeated five times (or more). For
>>> the quantifier, you need to group the string.
>>>
>>> /(?:){5}/
>
>> Great. I've changed my rule to that, a
On Thu, 2011-04-21 at 15:47 -0800, Kevin Miller wrote:
> Karsten Bräckelmann wrote:
> > What you want. The string '', repeated five times (or more). For
> > the quantifier, you need to group the string.
> >
> > /(?:){5}/
> Great. I've changed my rule to that, and am going to look at Adam's
>
Stupid Outlook. Meant to reply to the list again. Sigh.
Karsten Bräckelmann wrote:
>
> What you want. The string '', repeated five times (or more). For
> the quantifier, you need to group the string.
>
> /(?:){5}/
>
> Besides the above, do not use {5,} as a quantifier, UNLESS there is
> s
On Thu, 2011-04-21 at 14:55 -0800, Kevin Miller wrote:
> I know it may trigger on some ham which is why I set the initial score
> to 0.01. Better ideas are most welcome though!
>
It may be a good idea to look at the headers, especially From, From: and
Message-ID: and at body URIs to see if there
Adam Katz wrote:
> On 04/21/2011 03:55 PM, Kevin Miller wrote:
>> Thanks (also to Martin who replied). I posted one of the spams
>> here: http://pastebin.com/9aBAxR7m
>>
>> You can see the long series of break codes in it.
>
> Yes I can. I can also see several other diagnostic bits in it, such
On Thu, 2011-04-21 at 14:55 -0800, Kevin Miller wrote:
> I did get it to work from the CLI, and wrote the following rule:
>
> body CBJ_GiveMeABreak /\[""]{5,}/
This still is wrong. Something that has been mentioned, but not properly
explained to you is the char class, denoted by square brac
dar...@chaosreigns.com wrote:
> On 04/21, Adam Katz wrote:
>> rawbody LOCAL_5X_BR_TAGS /(?:[\s\r\n]{0,4}){5}/mi
>
> I wonder if it would be useful to generalize this as:
>
> rawbody LOCAL_8X_TAGS /(?:<[^>]*>[\s\r\n]{0,4}){8}/mi
>
> Just a mess of tags in a row without any content.
I'll leav
On 04/21/2011 03:55 PM, Kevin Miller wrote:
> Thanks (also to Martin who replied). I posted one of the spams here:
> http://pastebin.com/9aBAxR7m
>
> You can see the long series of break codes in it.
Yes I can. I can also see several other diagnostic bits in it, such as
the domain: http://www.
On 04/21, Adam Katz wrote:
> rawbody LOCAL_5X_BR_TAGS /(?:[\s\r\n]{0,4}){5}/mi
I wonder if it would be useful to generalize this as:
rawbody LOCAL_8X_TAGS /(?:<[^>]*>[\s\r\n]{0,4}){8}/mi
Just a mess of tags in a row without any content.
On 04/21, Kevin Miller wrote:
> body CBJ_GiveMeA
Opps - this should have gone to the list. Sorry.
Adam Katz wrote:
> Before I help you with your shell and regex issues, I should point out
> that this is not a very strong rule. It will hit ham.
SNIP
>
> Better solution: put some examples up on a pastebin and link them to
> us so we can help
> "egrep '[]{5,}' p3L..." prevents the shell from trying to interpret
> your query but still has a bad query, as it looks for five or more
> consecutive occurrences of any character listed between the angle
> brackets, so "brr" will match up to the slash.
Between the square brackets ("[" and "]"),
Before I help you with your shell and regex issues, I should point out
that this is not a very strong rule. It will hit ham.
On 04/21/2011 02:54 PM, Kevin Miller wrote:
> I'm trying to write a local rule that will scan for 5 or more
> instances of "" but not having much luck. I'm testing first
On Thu, 2011-04-21 at 13:54 -0800, Kevin Miller wrote:
> mxg:/var/spool/MailScanner/quarantine/20110421/nonspam # egrep \[]{5,}
> p3LJZSnX024470
>
That won't do what you want anyway, since its asking for "a sequence of
5 characters, each of which must be one of <,>,b or r" and isn't
allowing for p
"mouss" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Mike Cisar wrote:
Hi All,
Have been trying to write a regex for a custom rule to catch a particular
spam that's been annoying the heck out of me.
I've got about 6 body rules and have narrowed the problem down to the regex
Mike Cisar wrote:
Hi All,
Have been trying to write a regex for a custom rule to catch a particular
spam that's been annoying the heck out of me.
I've got about 6 body rules and have narrowed the problem down to the regex
that tries to catch this part (text appears in SPAM exactly as below,
Hmm...
Yep, that's loaded. I'll dig in to see what it's hitting and not hitting
Thanks,
- Original Message -
From: "Matt Kettler" <[EMAIL PROTECTED]>
To: "" <[EMAIL PROTECTED]>
Cc:
Sent: Sunday, January 22, 2006 9:02 PM
wrote:
> All,
>
> I'm confused as to how to block words with spaces.
> For example,
> V ia G ra
> M o r t g a g e
> Etc...
> TIA,
Really, if you're using SA 3.1.0 all you should need to do is make sure
your v310.pre has the replacetags plugin. All those spacings should be
covered by t
On Sunday 22 January 2006 12:14, wrote:
> All,
>
> I'm confused as to how to block words with spaces.
> For example,
> V ia G ra
> M o r t g a g e
This seems to be very effective.
v.?[|[EMAIL PROTECTED]@]
I also like and use the Sare rulesets, which pretty much catch all of this
stuff. but
On Sun, 22 Jan 2006, wrote:
hI,
> All,
>
> I'm confused as to how to block words with spaces.
> For example,
> V ia G ra
> M o r t g a g e
> Etc...
are you using SARE rules already? if not, have a look at:
http://www.rulesemporium.com/rules.htm. 70_sare_obfu.cf might be usefull
in that case
Ronan wrote:
> I have a log file which will throw out the following
>
> aa:bb cc:dd ee:"ff gg hh" ii:jj
>
> ie pairs of text, colon seperated
> 2nd half is in quotes if there are spaces in it
>
> I want to be able to read them into an array/table and work on them
>
> how do i get it so I can ha
66 matches
Mail list logo
