spam assassin rule to block a From address

Kai Risku Kai.Risku at arrak.fi
Fri Oct 14 11:32:03 CEST 2016 

There are many good tutorials on regular expressions on the net. Just google and start reading.. :)

The "[..]" construct is called a character class, and contains a set of characters or character ranges that should match a single character in the source. So "[0-9a-f]" matches a single character that is either a digit 0-9 or a letter a-f (those example addresses looked suspiciously like hexadecimal strings as there were no letters above f).

The "{..}" construct is a quantifier that say how many times the previous token should match (similar to how + matches one or more times and * matches zero or more times). In this case the quantifier "{16,}" means the preceding token (a hexadecimal digit) should be repeated 16 times or more. 

So my example rule will only match if the email address starts with "airecom162+" followed by 16 or more hexadecimal characters just before the @-sign. 

--
Kai.Risku at arrak.fi     GSM  +358-40-767 8282
Oy Arrak Software Ab   http://www.arrak.fi



-----Original Message-----
From: Indunil Jayasooriya [mailto:indunil75 at gmail.com] 
Sent: Friday, October 14, 2016 11:56 AM
To: Kai Risku <Kai.Risku at arrak.fi>
Cc: amavis-users at amavis.org
Subject: Re: spam assassin rule to block a From address

On Fri, Oct 14, 2016 at 1:59 PM, Kai Risku <Kai.Risku at arrak.fi> wrote:
> There is a small chance of false positives, i.e. you are catching *all* email addresses beginning with airecom612. You could be a bit more specific and require a hexadecimal string of at least 16 characters also:
>
>         header SPAM11OctF1      From:addr ~= /^airecom612\+[0-9a-f]{16,}\@/i

thanks for your fast response.

I am trying to understand the above.

0-9 a single character in the range between 0 and 9

a-f a single character in the range between a and f . If anything
beyond f (i .e - g to z  will NOT catch)

what about this?

^airecom612\+[0-9a-z]{16,}\@


now how can realize {16,}?

How does {16,} work?


I expect your response.





> --
> Kai.Risku at arrak.fi     GSM  +358-40-767 8282
> Oy Arrak Software Ab   http://www.arrak.fi
>
>
>
> -----Original Message-----
> From: Indunil Jayasooriya [mailto:indunil75 at gmail.com]
> Sent: Friday, October 14, 2016 11:03 AM
> To: Kai Risku <Kai.Risku at arrak.fi>
> Cc: amavis-users at amavis.org
> Subject: Re: spam assassin rule to block a From address
>
>> Appending the modifier “:addr” to a header name will remove everything from
>> that header except the first email address. If you are using an anchored
>> regexp on the email address, then the From:addr test should work, i.e.
>>
>>
>>
>>                 header SPAM11OctF1   From:addr ~=
>> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>>
>
> Thanks. Now I get mails beginning with  "airecom612"
>
>
> Pls see below
>
>
> airecom612+97d7d60a91d9695c9a4240f92d5c3cae at therealizationofhealth.net
> airecom612+eceaaa167743dd4a58b54bdb17ef86c4 at holistictips.net
> airecom612+97d7d60a91d9695c9a4240f92d5c3cae at therealizationofhealth.net
>
>
> So I have changed the rule in this way. pls see below. ( this time i.e
> -   /^airecom612.*\@/i )
>
> file /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf
>
>
> header SPAM11OctF2 From:addr =~ /^airecom612.*\@/i
> describe SPAM11OctF2 From address begin with the word airecom612@
> score SPAM11OctF2 10.0
>
>
> Hope. this will catch the PATTERN beginning with  "airecom612".
>
>
> your comments on this ?
>
>
>
>>
>> But you are otherwise on to something there. If the airecom -address is not
>> in the visible From: -line (“From: “), but instead in the Envelope sender
>> (i.e. the “From “ line), then you should use the pseudoheader EnvelopeFrom
>> in the SA test:
>>
>>
>>
>>                 header SPAM11OctF1   EnvelopeFrom ~=
>> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>>
>>
>>
>> The EnvelopeFrom pseudoheader contains just the email address without any
>> surrounding < >.
>
> I have never known it before. Thanks for your effort. Well done. your
> effort never went to recycle bin since I realized it.
>>
>> man Mail::SpamAssassin::Conf is your friend.
>>
>
> Thanks for this man command.
>
>
>
>
>> --
>> Kai.Risku at arrak.fi     GSM  +358-40-767 8282
>> Oy Arrak Software Ab   http://www.arrak.fi
>>
>>
>>
>>
>> From: amavis-users
>> [mailto:amavis-users-bounces+kai.risku=arrak.fi at amavis.org] On Behalf Of
>> @lbutlr
>> Sent: Thursday, October 13, 2016 11:43 AM
>> To: amavis-users at amavis.org
>> Subject: Re: spam assassin rule to block a From address
>>
>>
>>
>> On Oct 13, 2016, at 2:12 AM, Indunil Jayasooriya <indunil75 at gmail.com>
>> wrote:
>>
>> what's the difference between From and From:addr ?
>>
>>
>>
>> Isn’t From the “From “ and From:addr the “From:”?
>>
>>
>
>
>
> --
> cat /etc/motd
>
> Thank you
> Indunil Jayasooriya
> http://www.theravadanet.net/
> http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts



-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts

More information about the amavis-users mailing list