You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Mike Kenny <in...@gmail.com> on 2007/11/02 13:14:39 UTC

New (to me) spam pattern

I have a number of users that are receiving spam of varying types. The only
common factor is the from address. This looks like

from=<dw...@sX.com>

where sX.com looks like it is a genuine site name, e.g.
shibatec.com
southstreetfinancial.com
skiprockmultimedia.com

etc.

What I need (I think) is a perl regex that will match the above patter. This
is beyond my experience, can anybody assist me?
Or offer another alternative to block these spams?

thanks

mike

Re: New (to me) spam pattern

Posted by "John D. Hardin" <jh...@impsec.org>.

On Sat, 3 Nov 2007, Chris Edwards wrote:

> On Fri, 2 Nov 2007, Mike Kenny wrote:
> 
> | Thanks John, I had tried this. It appears that the \1 is
> | not defined within the pattern. Only for substitution?
> 
> The regex John posted is fine in SA.
> 
>   /<dw(\S+)\@\1\.com>/
> 
> Mike, what's going wrong for you ?  A lint error ?  Failure to
> match ?

Confirmed, now that I've had a chance to test it.

Here's a slightly stricter version:

  header XX From =~ /<dw([^\s\@>]{1,40})\@\1\.com>/i

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				           -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
 Tomorrow: Daylight Saving Time ends in U.S. - Fall Back

Re: New (to me) spam pattern

Posted by Chris Edwards <ch...@eng.gla.ac.uk>.

On Fri, 2 Nov 2007, Mike Kenny wrote:

| Thanks John, I had tried this. It appears that the \1 is not defined within
| the pattern. Only for substitution?

Hi,

The regex John posted is fine in SA.

  /<dw(\S+)\@\1\.com>/

Mike, what's going wrong for you ?  A lint error ?  Failure to match ?

Re: New (to me) spam pattern

Posted by "John D. Hardin" <jh...@impsec.org>.

On Fri, 2 Nov 2007, Mike Kenny wrote:

> Thanks John, I had tried this. It appears that the \1 is not
> defined within the pattern. Only for substitution?

It should work within perl match REs per "man perlre". I'm not sure 
how SA changes that context.

You might also try:

  /<dw(\S+)\@$+\.com>/

but I'm less confident $+ will work in a match (vs. a substitution).

> On 11/2/07, John D. Hardin <jh...@impsec.org> wrote:
>
> >   header XX From =~ /<dw(\S+)\@\1\.com>/

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				           -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
 2 days until Daylight Saving Time ends in U.S. - Fall Back

Re: New (to me) spam pattern

Posted by Mike Kenny <in...@gmail.com>.

Thanks John, I had tried this. It appears that the \1 is not defined within
the pattern. Only for substitution?

mike

On 11/2/07, John D. Hardin <jh...@impsec.org> wrote:
>
> On Fri, 2 Nov 2007, Mike Kenny wrote:
>
> > I have a number of users that are receiving spam of varying types. The
> only
> > common factor is the from address. This looks like
> >
> > from=<dw...@sX.com>
> >
> > where sX.com looks like it is a genuine site name, e.g.
> > shibatec.com
> > southstreetfinancial.com
> > skiprockmultimedia.com
> >
> > etc.
> >
> > What I need (I think) is a perl regex that will match the above
> > patter. This is beyond my experience, can anybody assist me?
>
> Backreferences.
>
> Try this - I haven't had a chance to test it yet:
>
>   header XX From =~ /<dw(\S+)\@\1\.com>/
>
> --
> John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
> jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>   does quite what I want. I wish Christopher Robin was here."
>                                            -- Peter da Silva in a.s.r
> -----------------------------------------------------------------------
> 2 days until Daylight Saving Time ends in U.S. - Fall Back
>
>

Re: New (to me) spam pattern

Posted by "John D. Hardin" <jh...@impsec.org>.

On Fri, 2 Nov 2007, Mike Kenny wrote:

> I have a number of users that are receiving spam of varying types. The only
> common factor is the from address. This looks like
> 
> from=<dw...@sX.com>
> 
> where sX.com looks like it is a genuine site name, e.g.
> shibatec.com
> southstreetfinancial.com
> skiprockmultimedia.com
> 
> etc.
> 
> What I need (I think) is a perl regex that will match the above
> patter. This is beyond my experience, can anybody assist me?

Backreferences.

Try this - I haven't had a chance to test it yet:

  header XX From =~ /<dw(\S+)\@\1\.com>/

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				           -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
 2 days until Daylight Saving Time ends in U.S. - Fall Back