You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marcio Humpris <ma...@gmail.com> on 2013/11/08 00:01:30 UTC
one word spam (still trying...)
Hi, John
This didnt work for me also:
/^\s{0,80}\S{1,20}\s{0,80}$/
can you kindly check it works here?
http://www.softlion.com/webTools/RegExpTest/default.aspx
Heres the original email I want to block:
http://pastebin.com/download.php?i=0D7tfsjf
Thank you!
Re: one word spam (still trying...)
Posted by John Hardin <jh...@impsec.org>.
On Thu, 7 Nov 2013, Marcio Humpris wrote:
> Hi, John
>
> This didnt work for me also:
>
> /^\s{0,80}\S{1,20}\s{0,80}$/
>
> can you kindly check it works here?
>
> http://www.softlion.com/webTools/RegExpTest/default.aspx
The slashes at the ends should be removed if you're testing the RE with
that tool. If I do that it works as expected there.
> Heres the original email I want to block:
>
> http://pastebin.com/download.php?i=0D7tfsjf
"Tudo bom?" is two words.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"They will be slaughtered as result of England's anti-gun laws
that concentrates power to the Government."
-- Shifty Powers (101 abn) observing British
subjects training to repel a German invasion
using rakes, hoes and pitchforks
-----------------------------------------------------------------------
4 days until Veterans Day
Re: one word spam (still trying...)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2013-11-25 at 22:26 +0000, Marcio Humpris wrote:
> Dear Karsten,
> Really appreciate it. Thanks John Hardin also.
> Can you kindly tell me how I can add this to my local.cf so I can test it?
> I imagine I have to do this, correct?
>
> rawbody __RB_GT_200 /^.{201}/s
> meta __RB_LE_200 !__RB_GT_200
> score __RB_LE_200 1.5
You cannot assign a score directly here. As I mentioned in my previous
post, these (any rules with names starting with two underscores) are
non-scoring sub-rules intended to be used in a meta rule.
Thus, you would either have to change the __RB_LE_200 rule's name in the
meta and drop the leading underscores. Alternatively preserve these size
constraint logic rules as-is, and add a plain meta rule you can assign a
score to.
meta LOCAL_RB_LE_200 __RB_LE_200
That might look slightly redundant on first glance, but helps using the
size constraint rules in other meta rules, as well as more closely
matching your target and prevent false positives with additional
constraints.
The samples in your case are short body without any URI, so you could
e.g. use another stock sub-rule to prevent firing on mail quickly thrown
together to send a funny link to the college next cubicle.
meta RB_LE_200_NO_URI __RB_LE_200 && !__HAS_ANY_URI
Unless you're comfortable with the rule, I suggest to start with a lower
score -- and raise it over time after some performance observation.
score RB_LE_200_NO_URI 0.5
> Im a bit confused, LE checks less then 200 words and seems to negate
> RB_GT_200...?
Syntax used in the original sub-rules above: RB indicating it being
(based on) a rawbody type rule. GT and LE meaning "greater than" and
"less than or equal" respectively, in relation to the the trailing
number.
The first rule (type rawbody) evaluates true for any message with more
than 200 chars in textual MIME-parts, which one can think about as
"having a body of at least 200 chars". Note that this works on *chars*,
not words.
The second rule does indeed negate that -- which means, the textual
MIME-parts (think body) of the message is "less than or equal 200 chars
in length". Again, operating on chars, not words.
In your case, since you want to match messages with typically much less
chars than 200, I'd go for a version of about 40 chars, maybe. I briefly
outlined what to adjust for that in my previous post, if it isn't clear
by the rule definitions already.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: one word spam (still trying...)
Posted by Benny Pedersen <me...@junc.eu>.
Marcio Humpris skrev den 2013-11-25 23:26:
> I imagine I have to do this, correct?
>
> rawbody __RB_GT_200 /^.{201}/s
> meta __RB_LE_200 !__RB_GT_200
> score __RB_LE_200 1.5
nope rules beginning with __ cant score for spamtests
meta RB_LE_200 (__RB_LE_200)
describe RB_LE_200 Meta: less then 200 chars in rawboby
score RB_LE_200 1.5
Re: one word spam (still trying...)
Posted by Marcio Humpris <ma...@gmail.com>.
Dear Karsten,
Really appreciate it. Thanks John Hardin also.
There was no original rule actually. And yes, 2 words in the case, sorry.
Can you kindly tell me how I can add this to my local.cf so I can test it?
rawbody __RB_GT_200 /^.{201}/s
meta __RB_LE_200 !__RB_GT_200
I imagine I have to do this, correct?
rawbody __RB_GT_200 /^.{201}/s
meta __RB_LE_200 !__RB_GT_200
score __RB_LE_200 1.5
Im a bit confused, LE checks less then 200 words and seems to negate
RB_GT_200...?
Thanks again.
Re: one word spam (still trying...)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2013-11-07 at 21:01 -0200, Marcio Humpris wrote:
> This didnt work for me also:
>
> /^\s{0,80}\S{1,20}\s{0,80}$/
That RE matches a complete line with a single "word" (anything but
whitespace) of up to 20 chars, and optional whitespace \s before and
after the word.
> Heres the original email I want to block:
> http://pastebin.com/download.php?i=0D7tfsjf
Despite your Subject, that sample has two words in the body.
You missed to post the actual SA rule. The above is just an RE. This is
important, because different rules are applied against different
versions of the message or body, which also impacts the exact definition
of beginning ^ and end $ assertions. And in the case of a body rule, the
Subject becomes the first paragraph.
Even more words? In total, yes, but not as far as the above RE is
concerned. In body rules, paragraphs are normalized to newline delimited
single line strings. Lacking magic like the /m modifier, the beginning
and end assertions are per-line -- not spanning the entire body. A
single one word paragraph in a large mail would match.
Given the sample, what you actually are after might be a "very short
body" rule. This was part of a recent thread:
rawbody __RB_GT_200 /^.{201}/s
meta __RB_LE_200 !__RB_GT_200
The (non-scoring sub-rule) __RB_LE_200 matches any mail with less than
or equal 200 chars in the textual body MIME-parts. To adjust the size
and lower it for your use-case, just replace any instance of 200 and 201
with your desired maximum size, and max size plus one respectively.
These rules are sub-rules intended to be used in a meta rule.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}