I have a long and growing list of custom rules for message elements found in spams that slipped through SA. Among others, I have a set of rules for URIs. The regexes for most look like:
/(domain1|domain2|domain3|domain4)\.(com|net|org)/i
However, in the false-negative messages submitted by users over the weekend, there's one that should have been tagged because it matched one of my URI rules.
I've attached the message I'm playing with right now (as a zip because SourceForge rejected it the first time); here's the rule that's failing to trigger:
uri SPAM_SITE_11 /(domainsforpeople|pandabearperks)\.com/i describe SPAM_SITE_11 Body contains a spamserver site address score SPAM_SITE_11 2
With blessed Philip Hazel's pcretest (PCRE definitely isn't Perl, but is very helpful in analyses:
________________________________________________________________________
PCRE version 4.1 12-Mar-2003
re> /\.(?:domainsforpeople|domainsforgoats|domainsforfairies)\.(?:com|org|net|biz)/i
data> http://www.domainsforpeople.com
0: .domainsforpeople.com
_________________________________________________________________________
What's happening is, that I've entered a pattern into PCRETEST as "re". I then entered your site. under "data." PCRETEST then gives the matches it finds. If it doesn't find any, you get a blank and have to begin over. If you don't know what PCRE is, or where to get it/PCRETEST, ask!
*SO*,
Entered as a uri test, it should work. As I said, PCRE can differ from perl - but ..
That's how I test my own uri rules.
If you were using Postfix and understand what 'postmap' is for, you could test with:
postmap -q - [regexp|pcre]:/etc/postfix/header_checks < saved_mail
Come back if you can't get it to work :-)
___________________________________________________________________________
*BUT*
As far as your zipped mail and RBL tests go, guess what RBL/DCC would have said about it with 2.60 (I've marked up the RBL results for my own use, YMMV):
____________________________________________________________________________
Spam detection software, running on the system "billy.demon.nl", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see [EMAIL PROTECTED] for details.
Content preview: Do it yourself domain name registration for just $14.95. Full flexibility to manage and move your domain. http://www.domainsforpeople.com [...]
Content analysis details: (29.8 points, 6.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
0.0 FORGED_RCVD_HELO Received: contains a forged HELO
3.7 RCVD_IN_OPM RBL: Received via a relay in opm.blitzed.org
[203.240.168.141 listed in opm.blitzed.org]
1.0 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[203.240.168.141 listed in dnsbl.njabl.org]
3.7 RCVD_IN_OPM_WINGATE RBL: OPM: sender is open WinGate proxy
[203.240.168.141 listed in opm.blitzed.org]
1.0 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?ip=203.240.168.141>]
1.4 RCVD_IN_RFCI RBL: Sent via a relay in ipwhois.rfc-ignorant.org
[Inaccurate or missing WHOIS data]
3.7 RCVD_IN_OPM_SOCKS RBL: OPM: sender is open SOCKS proxy
[203.240.168.141 listed in opm.blitzed.org]
3.7 RCVD_IN_OPM_HTTP_POST RBL: OPM: sender is open HTTP POST proxy
[203.240.168.141 listed in opm.blitzed.org]
2.0 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
[203.240.168.141 listed in dnsbl.sorbs.net]
1.0 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[203.240.168.141 listed in dnsbl.sorbs.net]
1.0 RCVD_IN_SORBS_MISC RBL: SORBS: sender is open proxy server
[203.240.168.141 listed in dnsbl.sorbs.net]
3.7 RCVD_IN_OPM_HTTP RBL: OPM: sender is open HTTP CONNECT proxy
[203.240.168.141 listed in opm.blitzed.org]
2.0 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
[203.240.168.141 listed in dnsbl.njabl.org]
0.9 RCVD_IN_SORBS_SMTP RBL: SORBS: sender is open SMTP relay
[203.240.168.141 listed in dnsbl.sorbs.net]
_______________________________________________________________________
Tony
-- Tony Earnshaw
I love the music of Wagner. The only sound that pleases me more is that of a cat outside my 9th floor window, trying to cling to the glass with its claws.
http://j-walk.com/blog/docs/conference.htm http://www.billy.demon.nl Mail: [EMAIL PROTECTED]
------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
