spam assassin rule to block a From address

Indunil Jayasooriya indunil75 at gmail.com
Fri Oct 14 12:09:01 CEST 2016 

> The "[..]" construct is called a character class, and contains a set of characters or character ranges that should match a single character in the source. So "[0-9a-f]" matches a single character that is either a digit 0-9 or a letter a-f (those example addresses looked suspiciously like hexadecimal strings as there were no letters above f).

Yes. you are right.

I checked all email addresses begin with "airecom612+" . there were no
letters beyond f.


> The "{..}" construct is a quantifier that say how many times the previous token should match (similar to how + matches one or more times and * matches zero or more times). In this case the quantifier "{16,}" means the preceding token (a hexadecimal digit) should be repeated 16 times or more.
>
> So my example rule will only match if the email address starts with "airecom162+" followed by 16 or more hexadecimal characters just before the @-sign.

Thanks. I realized it.  I went https://regex101.com and checked.


more than 16 are matched. (below email address)

airecom612+97d7d60a91d9695c9a4240f92d5c3cae at therealizationofhealth.net


16 are matched.

airecom612+97d7d60a91d9695c at therealizationofhealth.net


below 16 are NOT matched. ( in this case 15 )

airecom612+97d7d60a91d9695 at therealizationofhealth.net

I realized everything.

Thanks for your tuition class. I feel pretty  happy. Have a happy day.
what a meritorious deed.



>
> --
> Kai.Risku at arrak.fi     GSM  +358-40-767 8282
> Oy Arrak Software Ab   http://www.arrak.fi
>
>
>
> -----Original Message-----
> From: Indunil Jayasooriya [mailto:indunil75 at gmail.com]
> Sent: Friday, October 14, 2016 11:56 AM
> To: Kai Risku <Kai.Risku at arrak.fi>
> Cc: amavis-users at amavis.org
> Subject: Re: spam assassin rule to block a From address
>
> On Fri, Oct 14, 2016 at 1:59 PM, Kai Risku <Kai.Risku at arrak.fi> wrote:
>> There is a small chance of false positives, i.e. you are catching *all* email addresses beginning with airecom612. You could be a bit more specific and require a hexadecimal string of at least 16 characters also:
>>
>>         header SPAM11OctF1      From:addr ~= /^airecom612\+[0-9a-f]{16,}\@/i
>
> thanks for your fast response.
>
> I am trying to understand the above.
>
> 0-9 a single character in the range between 0 and 9
>
> a-f a single character in the range between a and f . If anything
> beyond f (i .e - g to z  will NOT catch)
>
> what about this?
>
> ^airecom612\+[0-9a-z]{16,}\@
>
>
> now how can realize {16,}?
>
> How does {16,} work?
>
>
> I expect your response.
>
>
>
>
>
>> --
>> Kai.Risku at arrak.fi     GSM  +358-40-767 8282
>> Oy Arrak Software Ab   http://www.arrak.fi
>>
>>
>>
>> -----Original Message-----
>> From: Indunil Jayasooriya [mailto:indunil75 at gmail.com]
>> Sent: Friday, October 14, 2016 11:03 AM
>> To: Kai Risku <Kai.Risku at arrak.fi>
>> Cc: amavis-users at amavis.org
>> Subject: Re: spam assassin rule to block a From address
>>
>>> Appending the modifier “:addr” to a header name will remove everything from
>>> that header except the first email address. If you are using an anchored
>>> regexp on the email address, then the From:addr test should work, i.e.
>>>
>>>
>>>
>>>                 header SPAM11OctF1   From:addr ~=
>>> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>>>
>>
>> Thanks. Now I get mails beginning with  "airecom612"
>>
>>
>> Pls see below
>>
>>
>> airecom612+97d7d60a91d9695c9a4240f92d5c3cae at therealizationofhealth.net
>> airecom612+eceaaa167743dd4a58b54bdb17ef86c4 at holistictips.net
>> airecom612+97d7d60a91d9695c9a4240f92d5c3cae at therealizationofhealth.net
>>
>>
>> So I have changed the rule in this way. pls see below. ( this time i.e
>> -   /^airecom612.*\@/i )
>>
>> file /etc/mail/spamassassin/SPAM_11Oct2016_From_1.cf
>>
>>
>> header SPAM11OctF2 From:addr =~ /^airecom612.*\@/i
>> describe SPAM11OctF2 From address begin with the word airecom612@
>> score SPAM11OctF2 10.0
>>
>>
>> Hope. this will catch the PATTERN beginning with  "airecom612".
>>
>>
>> your comments on this ?
>>
>>
>>
>>>
>>> But you are otherwise on to something there. If the airecom -address is not
>>> in the visible From: -line (“From: “), but instead in the Envelope sender
>>> (i.e. the “From “ line), then you should use the pseudoheader EnvelopeFrom
>>> in the SA test:
>>>
>>>
>>>
>>>                 header SPAM11OctF1   EnvelopeFrom ~=
>>> /^airecom612\+97d7d60a91d9695c9a4240f92d5c3cae\@/i
>>>
>>>
>>>
>>> The EnvelopeFrom pseudoheader contains just the email address without any
>>> surrounding < >.
>>
>> I have never known it before. Thanks for your effort. Well done. your
>> effort never went to recycle bin since I realized it.
>>>
>>> man Mail::SpamAssassin::Conf is your friend.
>>>
>>
>> Thanks for this man command.
>>
>>
>>
>>
>>> --
>>> Kai.Risku at arrak.fi     GSM  +358-40-767 8282
>>> Oy Arrak Software Ab   http://www.arrak.fi
>>>
>>>
>>>
>>>
>>> From: amavis-users
>>> [mailto:amavis-users-bounces+kai.risku=arrak.fi at amavis.org] On Behalf Of
>>> @lbutlr
>>> Sent: Thursday, October 13, 2016 11:43 AM
>>> To: amavis-users at amavis.org
>>> Subject: Re: spam assassin rule to block a From address
>>>
>>>
>>>
>>> On Oct 13, 2016, at 2:12 AM, Indunil Jayasooriya <indunil75 at gmail.com>
>>> wrote:
>>>
>>> what's the difference between From and From:addr ?
>>>
>>>
>>>
>>> Isn’t From the “From “ and From:addr the “From:”?
>>>
>>>
>>
>>
>>
>> --
>> cat /etc/motd
>>
>> Thank you
>> Indunil Jayasooriya
>> http://www.theravadanet.net/
>> http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts
>
>
>
> --
> cat /etc/motd
>
> Thank you
> Indunil Jayasooriya
> http://www.theravadanet.net/
> http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts



-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala Fonts

More information about the amavis-users mailing list