Re: Fwd: Help with constructing a rule for MCP

Mon, 21 Nov 2011 10:35:46 -0800 

Did you try to monitor the log looking if the rule was detected?



El 21/11/2011 02:00 p.m., Sergio escribió:

Unfortunately, it seems that MCP doesn't like the rule:
header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i 
header      __FROM_DHL                From =~ /\bdhl(?:[-_][^ .]+)?\.com/i
header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i 

header      __FROM_UPS                From =~ /\bups\.com/i
meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) || (__ENV_FROM_UPS && __FROM_DHL) 
describe   DHL_UPS_MISMATCH    virus DHL-USA or UPS
score       DHL_UPS_MISMATCH    11

When I wrote this to the MPC rules file, none of my other rules work.

Regards,

Sergio
On Mon, Nov 21, 2011 at 10:55 AM, Bowie Bailey <bowie_bai...@buc.com <mailto:bowie_bai...@buc.com>> wrote: 

    On 11/21/2011 11:35 AM, John Hardin wrote:
    > On Mon, 21 Nov 2011, Bowie Bailey wrote:
    >
    >> On 11/20/2011 10:02 PM, Sergio wrote:
    >>> header   __ENV_FROM_DHL    Received =~ /envelope-from [^ @]+@dhl[^
    >>> .]+\.com/i
    >>> header   __FROM_DHL        From =~ /\bdhl[^ .]+\.com/i
    >> These will match any domain that starts with "dh" and ends with
    ".com".
    > You overlooked the "l".

    Hmm...  Guess I did...

    >
    >> For example, they will match "someu...@dhalailama.com
    <mailto:someu...@dhalailama.com>".  Is this
    >> expected?
    > It won't.
    >
    >> If you just want to match a single character, then get rid of
    >> the +.
    > It's to match "-usa" or other dhl domain name variants. The line
    wrap in
    > email makes that look like a single character RE. The actual RE I
    > suggested is:
    >
    >    /envelope-from [^ @]+@dhl[^ .]+\.com/i

    The line wrap wasn't an issue.  I just didn't see the "l".  And with
    this font, I think I see why I didn't see it the first time.  It
    blends
    in with the square bracket.

    > It also won't match "dhl.com <http://dhl.com>". My bad. As I
    said, it was off the top of my
    > head.
    >
    > These might be better:
    >
    >    /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i
    >
    >    /\bdhl(?:[-_][^ .]+)?\.com/i

    Do the "@" characters need to be escaped?  In a normal Perl RE they
    would, but I'm not sure if SA is treating them any differently
    since it
    is reading them in from a config file.

    --
    Bowie





--
-----------------------------------------
Ricardo Ardila Vetrovec
Gerente de Redes
CeTIC -- UNIMET
tlf: 2403743

Reply via email to