Re: How to write rule for From: line

Sun, 23 Oct 2011 16:13:22 -0700 

On Sun, 23 Oct 2011, Karsten Br?ckelmann wrote:


On Sun, 2011-10-23 at 11:15 -0700, Jakub Serych wrote:

Could anybody help newbie to build rule for "From:" line? My server is
flooded with spams like this:



header FROM_ENLARG              From: =~

                                     ^
Drop the colon, the header name is a plain "From".


/(\bsex\b|\bfree\b|\btrial\b|\benlarge.*|\bpils|sample.*)/i

                                       ^^              ^^
These are unnecessary at the end of the match.

You should carefully watch the anchors for your RE, in your case the \b
word boundaries. The above matches a "sample" string anywhere, even
embedded inside a name -- or the email address for that matter.

If you want to match the "real name" part only, the :name modifier comes
in handy. Note that the modifier is delimited by a leading colon. The
colon (as per above) is not part of the "From" header name.

 header FOO  From:name =~ /\b(sex|free|trial|enlarge)\b/i

Here I also moved the \b word boundaries outside the alternation, so you
cannot forget it when adding more words. ;)



Karsten's example is a clear win (efficiency) wise over Jakub's but it's

also more restrictive. Because of the \b bounding on the outside, 
Karsten's rule will match "From: enlarge now <[email protected]>" but not

"From: enlargement now <[email protected]>".

That can be achieved by adding trailing character matches on those
words that you want to be 'extendable'. EG:

  header FOO  From:name =~ /\b(sex|free|trial|enlarge\w{0,5})\b/i


This will match on "enlarge" "enlargement" "enlarged" etc and still keep 
the efficiency.

Note that by using the 'word' match meta-character ('\w') rather than
the generic wild-card match character ('.') you avoid back-tracking of the
pattern-match engine (as well as putting a fixed size bounding on it).

This tactic does need to be used with caution to avoid FPs. The greater
the usage of non-fixed pattern matches, the larger the group of matched
strings and thus the greater the possibility of FPs.

--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{






















					Reply via email to