Hi Scott, Did you ever figure this out? I'm no regex wiz like Thomas is, but what you have appears pretty simple to me -- and I don't see anything wrong with it... I tried
from\:.*\_ in testRE and see it matching everything too. I don't understand why. I know this doesn't help you with why this is happening, but figured that it would at least help to hear that you're not the only one whose system generates that result. On Wed, Jun 1, 2022 at 5:32 PM Scott MacLean <a...@hollsco.com> wrote: > I've been seeing a bunch of spam getting through my filter recently, and > they all have the same thing in common: an underscore at the beginning > of the "From" and/or "Subject" lines. This should be really easy to pick > up with bombHeaderRe, but something's not working. > > Here's an example of the spam I'm seeing: > > From:_Male Health <support-team_0rk47mtncmz9bfpalcklzzn...@offer.market.ca > > > Subject:_Size matters and we can help > > Sometimes there is a space in between the colon and the underscore, > usually there is not. > > Here is the regex I added to my bombHeaderRe: > > From\:.*\_=>60 > Subject\:.*\_=>60 > > However, I quickly realized that this was tagging EVERY email coming > through the server! For instance, here's an email: > > From: Readly <rea...@news.readly.com> > > And looking at mail analysis, it's being caught by this regex, even > though there is no underscore: > > BombHeader RE: 'highest match: "(matchlength:84) From: Readly > <readly@news.readly" with valence: 60 - PB value = 60' > matching bombHeaderRe(file:files/bombheaderre.txt[line 188]): 'From\:.*_' > > Any idea what's going wrong and causing this? > > > > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test