RE: Regex help

Thu, 21 Apr 2011 16:37:31 -0700 

Adam Katz wrote:
> On 04/21/2011 03:55 PM, Kevin Miller wrote:
>> Thanks (also to Martin who replied).  I posted one of the spams
>> here: http://pastebin.com/9aBAxR7m 
>> 
>> You can see the long series of break codes in it.
> 
> Yes I can.  I can also see several other diagnostic bits in it, such
> as the domain: 
> http://www.siteadvisor.com/sites/regionstargpsupdates.com  
> 
> How about this rule instead:
> 
> blacklist_from  *@regionstargpsupdates.com
> 
> It's much faster and, given the report of the domain being that of a
> spammer, much much safer. 

Yes, but then I'm playing whack-a-mole.  Looking at the spam in html format 
(i.e., in the original email) one can see a similarities in style - probably 
produced from a template.  But the domain varies widely.  I may get anywhere 
from a half dozen to several dozen from any one domain, then never see that 
domain again.  Classic botnet behaviour.  These guys cycle through domains and 
from addresses regularly.

One thing that is consistant with all the spams is an exclaimation mark at the 
end of the subject line.  Sadly, plenty of ham also displays that.

>> Sorry for the confusion on the 10.10.10.10 - that isn't part of the
>> spam, it was just a handy file for testing since it had a repeating
>> string in it.
> 
> It was a faulty test since '[10.]{3}' will match '10.10.10.10' but
> not in the way that you think; it matches the first three characters
> and will therefore also match the string '110.64.323.6'  

Right - caught that from your previous post.  


>> I did get it to work from the CLI, and wrote the following rule:
>> 
>> body      CBJ_GiveMeABreak  /\["<br>"]{5,}/
>> describe  CBJ_GiveMeABreak  Messages with multiple consecutave break
>> characters score     CBJ_GiveMeABreak  0.01
> 
> That will not match your sample.  Please re-read my message.  The
> regex is wrong and the rule type (body) is wrong. 

I'm wading through it, trying to understand it all.  Printed some regex 
tutorial web pages as well.
I added the rule before any replies showed up but am removing it since it's a 
valient effort but not hitting where I'd hoped...

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

Reply via email to