On Sat, 2 Mar 2013, Ned Slider wrote:
On 01/03/13 19:55, Alexandre Boyer wrote:
The famous 5 recipients...
I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...
I removed the similar rule as your __RP_D_00040 from my systems to avoid
false negatives.
And no FP for a long time on this rule (this is an old bot, first saw
last summer, but probably older but unnoticed).
The example I posted earlier today had 7 recipients listed in To: (sorry, I
redacted them).
Rather than using a rule specifically for 5 recipients, I would use the
existing __MANY_RECIPS rule in the meta rule.
That said, I just checked my example, and __MANY_RECIPS failed to fire.
Here's the current rule:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
(@, followed by 5-30 non-@ characters) repeated three times.
If the username + domain name + inter-address punctuation is longer than
30 chars it won't work.
I don't see a good reason for the upper limit, or at least for one that
restrictive. The To and Cc headers aren't going to be unboundedly long.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #6: If you can choose what to bring to a
gunfight, bring a long gun and a friend with a long gun.
-----------------------------------------------------------------------
12 days until Albert Einstein's 134th Birthday
