Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

***Possible SPAM*** Re: regex needed for http link

 

 

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


joea at j4computers

May 17, 2012, 3:03 PM

Post #1 of 3 (380 views)
Permalink
***Possible SPAM*** Re: regex needed for http link

>>> On 5/17/2012 at 9:55 AM, John Hardin <jhardin [at] impsec> wrote:
> On Wed, 16 May 2012, Joseph Acquisto wrote:
>
>>>>> On 5/16/2012 at 8:53 PM, "Joseph Acquisto" <joea [at] j4computers> wrote:
>>>>>> On 5/16/2012 at 5:18 PM, Brent Gardner <bgardnermailinglists [at] gmail> wrote:
>>>>
>>>> How about:
>>>>
>>>> /\.ru\b/i
>>>
>>> I will give that a try.
>>
>> That worked. But I imagine it may trigger on innocuous instances of .ru as
> well, so it should also include check for http:// and wildcard for domain.
>
> What were you doing that _didn't_ detect that? The "proper" way is this:
>
> uri URI_DOT_RU /\.ru\b/i
>
> ...and let the body parser figure out the "link" context.
>
> Is there some reason that won't work?
>
> Could you post the rule you were originally using?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>

I attempted to adapt something from a similar regex provided by a vendor
of a commercial product. It was to detect country codes we do not want
to accept mail from. No doubt my ignorance of SA and regex in general
will be on display for the amusement of many.

rawbody URI_RU m,^https?://[^.\.][ru]/,i


joe a.


jhardin at impsec

May 17, 2012, 3:16 PM

Post #2 of 3 (362 views)
Permalink
Re: ***Possible SPAM*** Re: regex needed for http link [In reply to]

On Thu, 17 May 2012, Joseph Acquisto wrote:

> I attempted to adapt something from a similar regex provided by a vendor
> of a commercial product. It was to detect country codes we do not want
> to accept mail from. No doubt my ignorance of SA and regex in general
> will be on display for the amusement of many.
>
> rawbody URI_RU m,^https?://[^.\.][ru]/,i

heh. Yeah, that won't work. "[]" means a character class, one character
that matches anything within the square brackets.

What the above RE says is:

blah blah blah // (not-period OR period) (r OR u) /

...so it would match, for example:

https://.r/
https://.u/

but never:

https://{anything}.ru/

And you actually had success testing that from the command line?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Justice is justice, whereas "social justice" is code for one set
of rules for the rich, another for the poor; one set for whites,
another set for minorities; one set for straight men, another for
women and gays. In short, it's the opposite of actual justice.
-- Burt Prelutsky
-----------------------------------------------------------------------
2 days until SpaceX Dragon first mission to ISS


joea at j4computers

May 17, 2012, 4:05 PM

Post #3 of 3 (363 views)
Permalink
Re: ***Possible SPAM*** Re: regex needed for http link [In reply to]

>>> On 5/17/2012 at 6:16 PM, John Hardin <jhardin [at] impsec> wrote:
> On Thu, 17 May 2012, Joseph Acquisto wrote:
>
>> I attempted to adapt something from a similar regex provided by a vendor
>> of a commercial product. It was to detect country codes we do not want
>> to accept mail from. No doubt my ignorance of SA and regex in general
>> will be on display for the amusement of many.
>>
>> rawbody URI_RU m,^https?://[^.\.][ru]/,i
>
> heh. Yeah, that won't work. "[]" means a character class, one character
> that matches anything within the square brackets.
>
> What the above RE says is:
>
> blah blah blah // (not-period OR period) (r OR u) /
>
> ...so it would match, for example:
>
> https://.r/
> https://.u/
>
> but never:
>
> https://{anything}.ru/
>
> And you actually had success testing that from the command line?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79

I believe so. It was weeks ago that I did that (then comment it out, intending to get back to it).

I won't be able to focus on this for a while. I forgot we are having a social gathering tonight.
Sigh. Sometimes that sort of thing has to happen.

joe a.

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.