> ><dummyaddr...@gmx.de> to: recipi...@mydomain Regex:BlackRe 'PB 20: for > [!empty!]' > As you can see, 'blackRe' hits - not any of the above!
Thank you for pointing me there! For some reason my string in blackRe ended with '|\b' which makes no sense. Deleted '|' and everything has been quiet since then. I was obviously misled by the fact that those [!empty!] hits were only logged with versions of ASSP > 2.0.0-1.0.07. Best regards Dirk > -----Ursprüngliche Nachricht----- > Von: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] > Gesendet: Freitag, 9. Juli 2010 06:52 > An: ASSP development mailing list > Betreff: Re: [Assp-test] BombBlack hits good mail > > Hi Dirk, > > >I use bombre.txt for ... > > >bombHeaderRe:=file:files/bombre.txt > >bombSubjectRe:=file:files/bombre.txt > >bombRe:=file:files/bombre.txt > >bombDataRe:=file:files/bombre.txt > > This config does not make sense, because the same regex is processed > four times. Only use bombre.txt for 'bombre' (this checks the complete > mail), leave the othes empty. > > ><dummyaddr...@gmx.de> to: recipi...@mydomain Regex:BlackRe 'PB 20: for > [!empty!]' > > As you can see, 'blackRe' hits - not any of the above! > > Try to find out where your regex for blackRe matches an empty string - > if > you can not find it, send me the regex. > > Thomas > > > > Von: "Dirk Kulmsee" <d.kulm...@netgroup.de> > An: "'ASSP development mailing list'" > <assp-test@lists.sourceforge.net> > Datum: 08.07.2010 13:44 > Betreff: Re: [Assp-test] BombBlack hits good mail > > > > Hi all, > I am afraid I need to get back to this subject again. Long story short: > old > ASSP works fine - new ASSP bombs good mail with [!empty!] hits. > > Currently I am running ASSP 2.0.2-1.0.07 and everything seems alright > with > BombBlack. Here is some log info for test emails I sent from an gmx.de > account: > > Jul-08-10 07:54:47 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -4 > for > 213.165.64 in griplist (0.03), total score for this message is now -4 > Jul-08-10 07:54:47 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -10 > for > Home Country Bonus DE (GMX GmbH), total score for this message is now - > 14 > Jul-08-10 07:54:47 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain PB-IP-Score for > '213.165.64.20' > is 10, added -10 for HomeCountry-DE > Jul-08-10 07:54:47 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found in header > Jul-08-10 07:54:48 68487-01934 [Worker_3] [SPF] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain [scoring] SPF: pass > (cache) > ip=213.165.64.20 mailfrom=dummyaddr...@gmx.de helo=mail.gmx.net > Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -10 > for > SPF pass, total score for this message is now -24 > Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for > 'bombSuspiciousRe' > Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for > 'bombDataRe' > and 'bombRe' > Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for > 'bombBlack' > Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain Bayesian Check [scoring] - > Prob: 0.00000 => ham > Jul-08-10 07:54:48 68487-01934 [Worker_3] [Bayesian][scoring] > 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain info: Bayesian-Check has > taken > 0 seconds > Jul-08-10 07:54:48 68487-01934 [Worker_3] [Plugin] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain ASSP_OCR: Plugin > successful > called for runlevel 'complete mail'! > Jul-08-10 07:54:48 68487-01934 [Worker_3] [MessageOK] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain message ok [Test7 nochn > Gedicht] -> /opt/assp/okmail/Test7_nochn_Gedicht--61958.eml > Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain info: no (more) data > readable > from 213.165.64.20 (connection closed by peer) - last command was > 'QUIT' > > > > But whenever I run newer versions of ASSP (2.0.2-1.1.15 in this case) > BombBlack works differently, although I do not touch my assp.cfg or > bombre.txt: > > > > Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -4 > for > 213.165.64 in griplist (0.03), total score for this message is now -4 > Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -10 > for > Home Country Bonus DE (GMX GmbH), total score for this message is now - > 14 > Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain PB-IP-Score for > '213.165.64.20' > is 10, added -10 for HomeCountry-DE > Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found in header > Jul-08-10 07:40:48 67648-12664 [Worker_3] [SPF] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain [scoring] SPF: pass > (cache) > ip=213.165.64.20 mailfrom=dummyaddr...@gmx.de helo=mail.gmx.net > Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -10 > for > SPF pass, total score for this message is now -24 > Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for > 'bombSuspiciousRe' > Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for > 'bombDataRe', 'bombRe' and 'bombCharSets' > Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain Regex:BlackRe 'PB 20: for > [!empty!]' > Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain [!empty!] : (l:0) 20 , > count > : > 1 , sum : 20 , time : 0 s > Jul-08-10 07:40:49 67648-12664 [Worker_3] [BombBlack] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain (BombBlack '(l:0) (l:0) > '[!empty!] (20)'') > Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added 20 > for > BombBlack '(l:0) (l:0) '[!empty!] (20)'', total score for this message > is > now -4 > Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain PB-IP-Score for > '213.165.64.20' > is 20, added 20 for BombBlack > Jul-08-10 07:40:49 67648-12664 [Worker_3] [BombBlack] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain [spam found] (BombBlack > '(l:0) > (l:0) '[!empty!] (20)'') [Test4 mit pdf] -> > /opt/assp/discarded/12664.eml; > Jul-08-10 07:40:52 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain [SMTP Error] 554 5.7.1 > Delivery > not authorized, message refused -- . (reason: BombBlack '(l:0) (l:0) > '[!empty!] (20)'') > Jul-08-10 07:40:52 67648-12664 [Worker_3] 213.165.64.20 > <dummyaddr...@gmx.de> to: recipi...@mydomain finished message - > received > size: 0 Byte - sent size: 2.26 MByte > > > I use bombre.txt for ... > > bombHeaderRe:=file:files/bombre.txt > bombSubjectRe:=file:files/bombre.txt > bombRe:=file:files/bombre.txt > bombDataRe:=file:files/bombre.txt > > Can anyone tell, what causes this difference in behavior? How can I > find > out > why newer versions of ASSP get [!empty!] hits, where 2.0.2-1.0.07 does > not? > Any config variables I should look at? > > TIA > Dirk > > > > -----Ursprüngliche Nachricht----- > > Von: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] > > Gesendet: Montag, 14. Juni 2010 09:25 > > An: ASSP development mailing list > > Betreff: Re: [Assp-test] BombBlack hits good mail > > > > >What does [!empty!] > > >mean here? > > > > > > > > [!empty!] meens - that you regex ist testing for an empty string. > like > > ^$ > > > > Thomas > > > > > > > > Von: "Dirk Kulmsee" <d.kulm...@netgroup.de> > > An: "'ASSP development mailing list'" > > <assp-test@lists.sourceforge.net> > > Datum: 09.06.2010 10:56 > > Betreff: [Assp-test] BombBlack hits good mail > > > > > > > > Hi all, > > since I upgraded from 2.0.2-1.0.06 to 2.0.2-1.1.10 (same issue with > > 2.0.2-1.1.11) I see lots of log entries like these: > > > > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > > <sen...@yahoo.de> > > to: recipi...@my.domain no Bomb found in header Jun-09-10 08:37:32 > > 65451-05566 [Worker_1] 87.248.110.138 <sen...@yahoo.de> > > to: recipi...@my.domain no Bomb found for 'bombSuspiciousRe' > > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > > <sen...@yahoo.de> > > to: recipi...@my.domain no Bomb found for 'bombDataRe', 'bombRe' and > > 'bombCharSets' > > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > > <sen...@yahoo.de> > > to: recipi...@my.domain Regex:BlackRe 'PB 20: for [!empty!]' > > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > > <sen...@yahoo.de> > > to: recipi...@my.domain [!empty!] : (l:0) 20 , count : 1 , sum : 20 , > > time > > : > > 0 s > > Jun-09-10 08:37:32 65451-05566 [Worker_1] [BombBlack] 87.248.110.138 > > <sen...@yahoo.de> to: recipi...@my.domain (BombBlack '(l:0) (l:0) > > '[!empty!] (20)'') Jun-09-10 08:37:32 65451-05566 [Worker_1] > > 87.248.110.138 <sen...@yahoo.de> > > to: recipi...@my.domain Message-Score: added 20 for BombBlack '(l:0) > > (l:0) '[!empty!] (20)'', total score for this message is now 9 Jun- > 09- > > 10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 <sen...@yahoo.de> > > to: recipi...@my.domain PB-IP-Score for '87.248.110.138' is 20, added > > 20 for BombBlack Jun-09-10 08:37:32 65451-05566 [Worker_1] > [BombBlack] > > 87.248.110.138 <sen...@yahoo.de> to: recipi...@my.domain [spam found] > > (BombBlack '(l:0) > > (l:0) '[!empty!] (20)'') [Alan Wake] -> /opt/assp/discarded/5566.eml; > > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > > <sen...@yahoo.de> > > to: recipi...@my.domain [SMTP Error] 554 5.7.1 Delivery not > authorized, > > message refused -- . (reason: BombBlack '(l:0) (l:0) '[!empty!] > (20)'') > > > > > > The mail is not spam. I cannot see why it is discarded. What does > > [!empty!] mean here? Where does it come from? A bad regex somewhere? > > I use the bombre.txt from the cvs. > > > > Thanks for your hints. > > > > Regards > > Dirk Kulmsee > > > > > > --------------------------------------------------------------------- > -- > > ------- > > ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad > Father's > > Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the > > prize list and enter to win: > > http://p.sf.net/sfu/thinkgeek-promo > > _______________________________________________ > > Assp-test mailing list > > Assp-test@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > > > > > DISCLAIMER: > > ******************************************************* > > This email and any files transmitted with it may be confidential, > > legally privileged and protected in law and are intended solely for > the > > use of the > > > > individual to whom it is addressed. > > This email was multiple times scanned for viruses. There should be no > > known virus in this email! > > ******************************************************* > > > > > > ----------------------------------------------------------------------- > ------- > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, > legally > privileged and protected in law and are intended solely for the use of > the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
