Re: Fwd: Help with constructing a rule for MCP

[John Hardin]

On Mon, 21 Nov 2011, Sergio wrote:

Unfortunately, it seems that MCP doesn't like the rule:
header      __ENV_FROM_DHL        Received =~ /envelope-from [^
@]+@dhl(?:[-_][^ .]+)?\.com/i
header      __FROM_DHL                From =~ /\bdhl(?:[-_][^ .]+)?\.com/i
header      __ENV_FROM_UPS       Received =~ /envelope-from [^
@]+@ups\.com/i

header      __FROM_UPS                From =~ /\bups\.com/i
meta        DHL_UPS_MISMATCH    (__ENV_FROM_DHL && __FROM_UPS) ||
(__ENV_FROM_UPS && __FROM_DHL)
describe   DHL_UPS_MISMATCH    virus DHL-USA or UPS
score       DHL_UPS_MISMATCH    11

When I wrote this to the MPC rules file, none of my other rules work.

Bowie is right. I missed escaping the at signs. Put a backslash in front 
of each one that isn't in square brackets:

    /envelope-from [^ @]+\@ups\.com/i

But that shouldn't break _other_ rules...


On Mon, Nov 21, 2011 at 10:55 AM, Bowie Bailey <bowie_bai...@buc.com> wrote:

On 11/21/2011 11:35 AM, John Hardin wrote:
On Mon, 21 Nov 2011, Bowie Bailey wrote:

On 11/20/2011 10:02 PM, Sergio wrote:
header   __ENV_FROM_DHL    Received =~ /envelope-from [^ @]+@dhl[^
.]+\.com/i
header   __FROM_DHL        From =~ /\bdhl[^ .]+\.com/i
These will match any domain that starts with "dh" and ends with ".com".
You overlooked the "l".

Hmm...  Guess I did...


For example, they will match "someu...@dhalailama.com".  Is this
expected?
It won't.

If you just want to match a single character, then get rid of
the +.
It's to match "-usa" or other dhl domain name variants. The line wrap in
email makes that look like a single character RE. The actual RE I
suggested is:

   /envelope-from [^ @]+@dhl[^ .]+\.com/i

The line wrap wasn't an issue.  I just didn't see the "l".  And with
this font, I think I see why I didn't see it the first time.  It blends
in with the square bracket.

It also won't match "dhl.com". My bad. As I said, it was off the top of
my
head.

These might be better:

   /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i

   /\bdhl(?:[-_][^ .]+)?\.com/i

Do the "@" characters need to be escaped?  In a normal Perl RE they
would, but I'm not sure if SA is treating them any differently since it
is reading them in from a config file.

--
Bowie



--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The difference is that Unix has had thirty years of technical
  types demanding basic functionality of it. And the Macintosh has
  had fifteen years of interface fascist users shaping its progress.
  Windows has the hairpin turns of the Microsoft marketing machine
  and that's all.                                    -- Red Drag Diva
-----------------------------------------------------------------------
 348 days since the first successful private orbital launch (SpaceX)