spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Stead <paul.st...@zeninternet.co.uk>
Subject Re: rule for repeated tracking numbers
Date Wed, 06 Aug 2014 14:37:47 GMT
I've been having a play with the two rules mentioned, this seems to work
for me:

header __LOC_DIGITS_FROM From:name =~ /\.\d{7,8}$/
body __LOC_DIGITS_CONFUSER /  (\d){7,8} .{1,250} ([0-9a-f]{32})
.{1,250}[\g1|\g2].{1,250}[\g1|\g2]/

Joining these together in a meta rule seems to be picking up the emails
I expect them to.

On 05/08/14 19:40, Andy Balholm wrote:
> On Aug 5, 2014, at 11:16 AM, John Hardin <jhardin@impsec.org> wrote:
>
>> It can hit on embedded phone numbers, which are, strictly speaking, valid hexadecimal
strings...
>> I suspect it's hitting on all those dates as well, and needs some more tightening.
> In the spams I’m looking at, all the hex strings are 32 characters. How long were they
in Joe’s samples (no longer on pastebin)?
>
> Joe was concerned about the performance of my regex (because of all the .*’s), but
it can search through my /var/mail in 5 seconds; the __HEXHASHWORD_S2EU regex takes over 9.

--
Paul Stead
Systems Engineer
Zen Internet

Mime
View raw message