You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mike Kenny <in...@gmail.com> on 2007/11/02 13:14:39 UTC
New (to me) spam pattern
I have a number of users that are receiving spam of varying types. The only
common factor is the from address. This looks like
from=<dw...@sX.com>
where sX.com looks like it is a genuine site name, e.g.
shibatec.com
southstreetfinancial.com
skiprockmultimedia.com
etc.
What I need (I think) is a perl regex that will match the above patter. This
is beyond my experience, can anybody assist me?
Or offer another alternative to block these spams?
thanks
mike
Re: New (to me) spam pattern
Posted by "John D. Hardin" <jh...@impsec.org>.
On Sat, 3 Nov 2007, Chris Edwards wrote:
> On Fri, 2 Nov 2007, Mike Kenny wrote:
>
> | Thanks John, I had tried this. It appears that the \1 is
> | not defined within the pattern. Only for substitution?
>
> The regex John posted is fine in SA.
>
> /<dw(\S+)\@\1\.com>/
>
> Mike, what's going wrong for you ? A lint error ? Failure to
> match ?
Confirmed, now that I've had a chance to test it.
Here's a slightly stricter version:
header XX From =~ /<dw([^\s\@>]{1,40})\@\1\.com>/i
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Tomorrow: Daylight Saving Time ends in U.S. - Fall Back
Re: New (to me) spam pattern
Posted by Chris Edwards <ch...@eng.gla.ac.uk>.
On Fri, 2 Nov 2007, Mike Kenny wrote:
| Thanks John, I had tried this. It appears that the \1 is not defined within
| the pattern. Only for substitution?
Hi,
The regex John posted is fine in SA.
/<dw(\S+)\@\1\.com>/
Mike, what's going wrong for you ? A lint error ? Failure to match ?
Re: New (to me) spam pattern
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 2 Nov 2007, Mike Kenny wrote:
> Thanks John, I had tried this. It appears that the \1 is not
> defined within the pattern. Only for substitution?
It should work within perl match REs per "man perlre". I'm not sure
how SA changes that context.
You might also try:
/<dw(\S+)\@$+\.com>/
but I'm less confident $+ will work in a match (vs. a substitution).
> On 11/2/07, John D. Hardin <jh...@impsec.org> wrote:
>
> > header XX From =~ /<dw(\S+)\@\1\.com>/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
2 days until Daylight Saving Time ends in U.S. - Fall Back
Re: New (to me) spam pattern
Posted by Mike Kenny <in...@gmail.com>.
Thanks John, I had tried this. It appears that the \1 is not defined within
the pattern. Only for substitution?
mike
On 11/2/07, John D. Hardin <jh...@impsec.org> wrote:
>
> On Fri, 2 Nov 2007, Mike Kenny wrote:
>
> > I have a number of users that are receiving spam of varying types. The
> only
> > common factor is the from address. This looks like
> >
> > from=<dw...@sX.com>
> >
> > where sX.com looks like it is a genuine site name, e.g.
> > shibatec.com
> > southstreetfinancial.com
> > skiprockmultimedia.com
> >
> > etc.
> >
> > What I need (I think) is a perl regex that will match the above
> > patter. This is beyond my experience, can anybody assist me?
>
> Backreferences.
>
> Try this - I haven't had a chance to test it yet:
>
> header XX From =~ /<dw(\S+)\@\1\.com>/
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
> does quite what I want. I wish Christopher Robin was here."
> -- Peter da Silva in a.s.r
> -----------------------------------------------------------------------
> 2 days until Daylight Saving Time ends in U.S. - Fall Back
>
>
Re: New (to me) spam pattern
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 2 Nov 2007, Mike Kenny wrote:
> I have a number of users that are receiving spam of varying types. The only
> common factor is the from address. This looks like
>
> from=<dw...@sX.com>
>
> where sX.com looks like it is a genuine site name, e.g.
> shibatec.com
> southstreetfinancial.com
> skiprockmultimedia.com
>
> etc.
>
> What I need (I think) is a perl regex that will match the above
> patter. This is beyond my experience, can anybody assist me?
Backreferences.
Try this - I haven't had a chance to test it yet:
header XX From =~ /<dw(\S+)\@\1\.com>/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
2 days until Daylight Saving Time ends in U.S. - Fall Back