You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Declan Moriarty <de...@ntlworld.ie> on 2004/09/11 06:16:33 UTC

Home grown rules: What am I on to?

[NOOB warning here!]

I am on a small lousy isp (named above) and get _no_mail_ I want with
another ntlworld.ie address on it. Spammers bulk mail to each server for
efficiency. Punishing a second address on your isp would be stupid in
the extreme on other servers (e.g. aol.com) but a very good idea here.
When I set to write  a rule for catching these, I found that the
'To:addr' variable is where the Bermuda Triangle intersects with the
Twilight Zone :-/. (BTW, Versions are perl-5.6.1, SA-2.63,
postfix-2.1.13, procmail-3.22. I am rewriting subjects, and adding
headers and a report)

I failed completely. \n, \b, \t, \W & \w don't seem to function as they 
should. Better than I at regexes have tried and failed. This rule, however

	header ISP    To:addr =~ /(\b\S+?\@ntlworld\.\w{2,5}\b)/

picks up an ntlworld.ie address only when it is spam!:-/. It's 100%(!)
and shows on every spam I get, over 60 since it went in. The only false
positives are from majordomos, which is an edited file mailed to me.
Something (good)is going on and I don't know what. I suspect that spam
is edited by hand before distribution, and that somehow I am catching
that. But this one

	header LFS   To:addr =~ /(\b\S+?\@linuxfromscratch\.\w{2,6}\b)/
[changes underlined]                      ^^^^^^^^^^^^^^^^       ^

does not catch spam to linuxfromscratch.org on my system I get a
mailing list from there forwarded to me :-/. I have one hit with it. 
The To: line is blfs-support@linuxfromscratch.org.

Using egrep, this one '(\n\S+?\@ntlworld\.\w{2,5}\b)' catches the
likes of this:           ^

To: "Kathie Webb" <jo...@ntlworld.ie>

i.e. the first of many lines of addresses of spam, 
but sees nothing using spamc/spamd. I never got a regex to pick up the 
examples below (copied & pasted from spam). 


To: simon.hackett1@ntlworld.ie, sio.keegan@ntlworld.ie,
        siobhan.farrell@ntlworld.ie, siobhanbrian.farrell@ntlworld.ie,
        skibock@ntlworld.ie, soner.mete@ntlworld.ie,
spungie@ntlworld.ie,
        stephen.owens12@ntlworld.ie, stephenkincaid@ntlworld.ie,
        steve.k20@ntlworld.ie, steven.kavanagh@ntlworld.ie,
        t.j.campbell@ntlworld.ie, tech.genius@ntlworld.ie,
        telman.8@ntlworld.ie, terence.judd@ntlworld.ie

Or this one

To: "Kathie Webb" <jo...@ntlworld.ie>
Cc: "Clair Alvarez" <is...@ntlworld.ie>,
        "Danyel Martin" <jo...@ntlworld.ie>,
        "Faustina Flores" <dw...@ntlworld.ie>,
        "Oliva Carter" <te...@ntlworld.ie>


(I'm in those as my Electronic hardware self <te...@ntlworld.ie>)

Now comparing legit and spam e-mails, I can't see much difference with a
hex editor (both have 0x0a and 0x20) and I am completely off the map. I
don't know why this works

	header ISP    To:addr =~ /(\b\S+?\@ntlworld\.\w{2,5}\b)/

or why the others don't. What I see with egrep is not close to what
spamd/spamc give. I know newbies should (expletive deleted) off and
read. I've given this a good shot before coming here. I've read too.

Any ideas/hints? 

-- 

	With best Regards,


	Declan Moriarty.

Re: Home grown rules: What am I on to?

Posted by Loren Wilton <lw...@earthlink.net>.

My understanding of your post is that you want to catch a 'to' with
"@ntlworld." that isn't followed by "com".  Assuming that is right, then I
think something like the following (completely untested!) rule might work:

header NOT_NTLWORLD    To~= /\w\@ntlworld\.(?!com)\w/

This should catch anything with <word>@ntlworld.(!com), so should trip on
what you want.

I would have to check the :addr variant to see if it included all of the
addresses in the list, or only the first one.  If it includes all, then you
could delete that first \w in the re.

        Loren

Re: Home grown rules: What am I on to?

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Declan,

Friday, September 10, 2004, 9:16:33 PM, you wrote:

DM> [NOOB warning here!]

Noob to yoo too.   :-)

DM> header ISP    To:addr =~ /(\b\S+?\@ntlworld\.\w{2,5}\b)/

I don't think that \S+? construct is valid -- there's nothing before the
? to say "zero or one" of.

Looks to me like what you really want is a much simpler
> header ISP To:addr =~ /\@ntlworld.\w{2}/i
which will catch all emails to any email address at ntlworld dot any 2+
tld.

Does that help?  Or am I way off base with this suggestion?

Bob Menschel