You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rejaine Monteiro <re...@bhz.jamef.com.br> on 2013/06/06 23:23:37 UTC
Spam rule
Hi list,
How can I make a rule to do something like this: block messages with
body or subject contains 'lalalalala' AND url with PDF NOT contains
'trusted.net'
Re: Spam rule
Posted by Benny Pedersen <me...@junc.eu>.
staticsafe skrev den 2013-06-07 02:02:
> 192.162.*.* doesn't fall with that range.
close but not close enough, its late here in danmark :)
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: Spam rule
Posted by staticsafe <me...@staticsafe.ca>.
On Fri, Jun 07, 2013 at 01:54:37AM +0200, Benny Pedersen wrote:
> Daniel McDonald skrev den 2013-06-06 23:54:
>
> >body __LALA_B /la{5}/
> >header __LALA_H Subject =~ /la{5}/
> >header __LALA_TRUST Received =~ /192\.162\.101\.\d{1,3}/
> >meta MY_LALA (__LALA_B || __LALA_H) && __HAS_ANY_URI &&
> >__PDF_ATTACH &&
> >!__LALA_TRUST
> >score MY_LALA 5.0
>
>
> good example, but since it contains rfc1918 ips it can be abused
>
> --
> senders that put my email into body content will deliver it to my
> own trashcan, so if you like to get reply, dont do it
Not quite:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
192.162.*.* doesn't fall with that range.
--
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post - http://goo.gl/YrmAb
Don't CC me! I'm subscribed to whatever list I just posted on.
Re: Spam rule
Posted by Benny Pedersen <me...@junc.eu>.
Daniel McDonald skrev den 2013-06-06 23:54:
> body __LALA_B /la{5}/
> header __LALA_H Subject =~ /la{5}/
> header __LALA_TRUST Received =~ /192\.162\.101\.\d{1,3}/
> meta MY_LALA (__LALA_B || __LALA_H) && __HAS_ANY_URI &&
> __PDF_ATTACH &&
> !__LALA_TRUST
> score MY_LALA 5.0
good example, but since it contains rfc1918 ips it can be abused
--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Re: Spam rule
Posted by Martin Gregorie <ma...@gregorie.org>.
On Thu, 2013-06-06 at 16:54 -0500, Daniel McDonald wrote:
> On 6/6/13 4:23 PM, "Rejaine Monteiro" <re...@bhz.jamef.com.br> wrote:
>
> > Hi list,
> >
> > How can I make a rule to do something like this: block messages
>
> For the pedantic, SpamAssassin doesn't block mail. It marks it. Whether
> you block mail that has been marked with some other process is up to you...
>
> > with body or
> > subject contains 'lalalalala' AND url with PDF NOT contains 'trusted.net'
>
> body __LALA_B /la{5}/
>
That will only match "laaaaa" - you'll need to use /lalalalala/
> header __LALA_H Subject =~ /la{5}/
>
IIRC this isn't needed because the subject is treated as part of the
body.
> header __LALA_TRUST Received =~ /192\.162\.101\.\d{1,3}/
>
I'm uncertain what the OP means he wants done with trusted.net, except
that it doesn't look as though he thinks its the sender. Assuming he
means it should be in the body, try something this:
body __LA5B /lalalalala/
uri __LA5T /trusted\.net/
mimeheader __LA5P Content-type =~ /application\/pdf/
meta LA5 (__LA5B && !__LA5T && __LA5P)
score LA5 5.0
...of course you'll need to have the MimeMagic plugin installed if
__LA5P is to work.
Disclaimer: although I've tested __LA5B and written __LA5P
against a real PDF attachment, this set of rules and subrules is
untested.
Martin
Re: Spam rule
Posted by John Hardin <jh...@impsec.org>.
On Thu, 6 Jun 2013, Daniel McDonald wrote:
> On 6/6/13 4:23 PM, "Rejaine Monteiro" <re...@bhz.jamef.com.br> wrote:
>
>> Hi list,
>>
>> How can I make a rule to do something like this: block messages
>
> For the pedantic, SpamAssassin doesn't block mail. It marks it. Whether
> you block mail that has been marked with some other process is up to you...
>
>> with body or
>> subject contains 'lalalalala' AND url with PDF NOT contains 'trusted.net'
>
> body __LALA_B /la{5}/
> header __LALA_H Subject =~ /la{5}/
Not needed, the subject is automatically included in the body.
Agree it should be /(?:la){5}/, but as that's just a placeholder, that
optimization shouldn't have been offered. It's a confusing optimization
for someone asking about RE basics.
> header __LALA_TRUST Received =~ /192\.162\.101\.\d{1,3}/
> meta MY_LALA (__LALA_B || __LALA_H) && __HAS_ANY_URI && __PDF_ATTACH &&
> !__LALA_TRUST
> score MY_LALA 5.0
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad. -- James Madison, 1799
-----------------------------------------------------------------------
Today: the 69th anniversary of D-Day
Re: Spam rule
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2013-06-10 at 09:55 -0700, Brent Gardner wrote:
> > For basics of writing SA rules, maybe look at
> > http://wiki.apache.org/spamassassin/WritingRules
> Where's a good place to look if I want to go beyond the basics?
The docs [1], lurking on this list, and possibly having a look at the
stock rules.
> The page listed above or copies of it flood google results.
>
> Example: For a long time I didn't know one could use || and ! in metas.
Which is a prime example for reading the docs. :)
> Optimizations like (?:) instead of (), {1,100} instead of *, a single
> rule with lots of alternate word matches instead of several rules each
> matching one word, etc.
And that's being discussed in here about any time someone asks for
specific RE help...
[1] http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Spam rule
Posted by Brent Gardner <bg...@gmail.com>.
On 06/06/2013 03:26 PM, Wolfgang Zeikat wrote:
> In an older episode, on 2013-06-07 00:17, Rejaine Monteiro wrote:
>>
>> tala was only an example, thanks for the tip, I will test here
>
> For basics of writing SA rules, maybe look at
> http://wiki.apache.org/spamassassin/WritingRules
>
> Hope this helps,
>
> wolfgang
>
>
(Gah, replied to individual instead of list.)
Somewhat off topic:
Where's a good place to look if I want to go beyond the basics?
The page listed above or copies of it flood google results.
Example: For a long time I didn't know one could use || and ! in metas.
Optimizations like (?:) instead of (), {1,100} instead of *, a single
rule with lots of alternate word matches instead of several rules each
matching one word, etc.
Thx
Brent Gardner
Re: Spam rule
Posted by Wolfgang Zeikat <wo...@desy.de>.
In an older episode, on 2013-06-07 00:17, Rejaine Monteiro wrote:
>
> tala was only an example, thanks for the tip, I will test here
For basics of writing SA rules, maybe look at
http://wiki.apache.org/spamassassin/WritingRules
Hope this helps,
wolfgang
Re: Spam rule
Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.
tala was only an example, thanks for the tip, I will test here
Em 06-06-2013 19:14, Wolfgang Zeikat escreveu:
> Hi,
>
> In an older episode, on 2013-06-06 23:54, Daniel McDonald wrote:
>
>>> with body or subject contains 'lalalalala' AND url with PDF NOT
>>> contains 'trusted.net'
>>
>> body __LALA_B /la{5}/
>> header __LALA_H Subject =~ /la{5}/
>
> shouldn't that be
> /(la){5}/
> ???
>
> I think /la{5}/ would match
> laaaaa instead of lalalalala ...
>
> Cheers,
>
> wolfgang
>
>
--
Rejaine da Silveira Monteiro
Suporte-TI
Jamef Encomendas Urgentes
Matriz - Contagem/MG
Tel: (31) 2102-8854
www.jamef.com.br
Re: Spam rule
Posted by Daniel McDonald <da...@austinenergy.com>.
On 6/6/13 5:14 PM, "Wolfgang Zeikat" <wo...@desy.de> wrote:
> Hi,
>
> In an older episode, on 2013-06-06 23:54, Daniel McDonald wrote:
>
>>> with body or
>>> subject contains 'lalalalala' AND url with PDF NOT contains
>>> 'trusted.net'
>>
>> body __LALA_B /la{5}/
>> header __LALA_H Subject =~ /la{5}/
>
> shouldn't that be
> /(la){5}/
Well, more properly /(?:la){5}/
>
> I think /la{5}/ would match
> laaaaa instead of lalalalala ...
Quite right...
Re: Spam rule
Posted by Wolfgang Zeikat <wo...@desy.de>.
Hi,
In an older episode, on 2013-06-06 23:54, Daniel McDonald wrote:
>> with body or
>> subject contains 'lalalalala' AND url with PDF NOT contains 'trusted.net'
>
> body __LALA_B /la{5}/
> header __LALA_H Subject =~ /la{5}/
shouldn't that be
/(la){5}/
???
I think /la{5}/ would match
laaaaa instead of lalalalala ...
Cheers,
wolfgang
Re: Spam rule
Posted by Daniel McDonald <da...@austinenergy.com>.
On 6/6/13 4:23 PM, "Rejaine Monteiro" <re...@bhz.jamef.com.br> wrote:
> Hi list,
>
> How can I make a rule to do something like this: block messages
For the pedantic, SpamAssassin doesn't block mail. It marks it. Whether
you block mail that has been marked with some other process is up to you...
> with body or
> subject contains 'lalalalala' AND url with PDF NOT contains 'trusted.net'
body __LALA_B /la{5}/
header __LALA_H Subject =~ /la{5}/
header __LALA_TRUST Received =~ /192\.162\.101\.\d{1,3}/
meta MY_LALA (__LALA_B || __LALA_H) && __HAS_ANY_URI && __PDF_ATTACH &&
!__LALA_TRUST
score MY_LALA 5.0
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281