RE: [Declude.JunkMail] PCRE help
I don't see anything wrong there, Scott.
When I run it through "The Regex Coach", I did have to remove the spaces
at the end of the line in your email and then it did work. So, make sure
there is no whitespace at the end of the line in your test file? Make
sure the filter file really is running and not being END'ed before that
line is encountered?
Andrew.
From: Scott Fisher [mailto:sfis...@farmprogress.com]
Sent: Wednesday, November 16, 2011 9:49 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] PCRE help
Subject: [Possible SPAM]=?KOI8-U?B?y8/OxqbExc7DpsrOpiDVx8/EyQ==?=
I am trying to catch the a spam with above subject listed with the below
line:
ANYWHERE 25 PCRE
(?i:((charset|content|lang)=.{0,2}koi8-(r|t|u|ru))|(=\?koi8-(r|t|u|ru)\?
[bq]\?))
Can anyone see what I'm doing wrong?
Scott Fisher | IT Director
FARM PROGRESS COMPANIES | 255 38th Avenue, Suite P | St. Charles, IL
60174-5410
630/462-2323 | Fax 630/462-2957 | sfis...@farmprogress.com
www.FarmProgress.com
RE: [Declude.JunkMail] PCRE help
Your PCRE should trigger on:
=?KOI8-U?B?
Subject: [Possible SPAM]=?KOI8-U?B?y8/OxqbExc7DpsrOpiDVx8/EyQ==?=
From: Scott Fisher [mailto:sfis...@farmprogress.com]
Sent: Wednesday, November 16, 2011 12:49 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] PCRE help
Subject: [Possible SPAM]=?KOI8-U?B?y8/OxqbExc7DpsrOpiDVx8/EyQ==?=
I am trying to catch the a spam with above subject listed with the below line:
ANYWHERE 25 PCRE
(?i:((charset|content|lang)=.{0,2}koi8-(r|t|u|ru))|(=\?koi8-(r|t|u|ru)\?[bq]\?))
Can anyone see what I’m doing wrong?
Scott Fisher | IT Director
FARM PROGRESS COMPANIES | 255 38th Avenue, Suite P | St. Charles, IL 60174-5410
630/462-2323 | Fax 630/462-2957 |
sfis...@farmprogress.com
RE: [Declude.JunkMail] PCRE information
http://www.pcre.org/pcre.txt http://www.tote-taste.de/X-Project/regex/syntax.html I would suggest this tool http://www.regexbuddy.com/ makes it very easy to learn. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T Sent: Monday, June 02, 2008 6:13 PM To: declude.junkmail Subject: [Declude.JunkMail] PCRE information Where can I find information on PCRE formatting including what characthers have to be escaped? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE check
Thanks David.John T
eServices For You
-Original Message-
From: "David Barker" <[EMAIL PROTECTED]>
Sent 5/23/2008 8:22:11 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE check(?i:allen.{0,6}\.info) All
expressions must be in parenthesis ?i: non case sensitive .* any
character {0,6} minimum 0 characters to a maximum of 6 \. Because . can mean
any character a \. means specifically use . Hope this helps.
David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John
TSent: Friday, May 23, 2008 11:07 AMTo: [EMAIL PROTECTED]: [Declude.JunkMail]
PCRE check I am taking my first stab at regular expressions.
Trying to write a line to catch all of the @ allen info xx . info from
addresses.
So far, I have "mailfrom 10 PCRE @allen(*{0,6}).info"
Is that to broad or not efficient? (I think that means look for any 6
characters between @allen and .info is a match.John T
eServices For You
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE check
(?i:allen.{0,6}\.info)
All expressions must be in parenthesis
?i:non case sensitive
.* any character
{0,6} minimum 0 characters to a maximum of 6
\. Because . can mean any character a \. means specifically use .
Hope this helps.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T
Sent: Friday, May 23, 2008 11:07 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] PCRE check
I am taking my first stab at regular expressions.
Trying to write a line to catch all of the @ allen info xx . info from
addresses.
So far, I have "mailfrom 10 PCRE @allen(*{0,6}).info"
Is that to broad or not efficient? (I think that means look for any 6
characters between @allen and .info is a match.
John T
eServices For You
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE check (ES)
Hi John,
Keep us posted how you get on because I have no idea about regular expressions
and would like to see how you trun out.
:o)
Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.net
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T
Sent: 23 May 2008 17:07
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] PCRE check
I am taking my first stab at regular expressions.
Trying to write a line to catch all of the @ allen info xx . info from
addresses.
So far, I have "mailfrom 10 PCRE @allen(*{0,6}).info"
Is that to broad or not efficient? (I think that means look for any 6
characters between @allen and .info is a match.
John T
eServices For You
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE and NOTCONTAINS
Scott the only way I have done a NOT is in the following example where this
will match on the expression but NOT on levitra using (?!levitra)
(?i:(?!levitra)\bl.{0,2}e.{0,2}v.{0,2}[|li1í!].{0,2}t.{0,2}r.{0,[EMAIL
PROTECTED])
I have attempted to work this type of expression into NOTCONTAINS but ran
into some problems, so I reverted to using NOTCONTAINS
Let us know if you figure something out.
David B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Thursday, March 20, 2008 10:49 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] PCRE and NOTCONTAINS
Is there any way to make a PCRE work like a NOTCONTAINS
I have this filter line:
MAILFROM END NOTCONTAINS @aim.
I also need to add @aol.com to that.
Obviously two notcontains wont work. Is there a way to work the NOT into a
PCRE expression?
Scott Fisher
Director of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by reply email and destroy all copies of the original message. Although Farm
Progress Companies has taken reasonable precautions to ensure no viruses are
present in this email, the company cannot accept responsibility for any loss
or damage arising from the use of this email or attachments.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE tests
Hi David -
Thanks for the tips - very good information for this beginner. I changed
the "e-card" one below to only look at the subject, as that is the one that
I have seen. However, I had another one for some stocks that I had set up
the same, and since I do want it to look "anywhere" I used your suggestion.
I did try (\bERMX\b) the other day, but didn't have it combined with the
?i:, so it wasn't working. I will give this a shot.
Thanks!
Todd
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, July 09, 2007 7:47 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests
Hi Todd,
A couple of suggestions
(?i:receive.*(postcard|greeting|ecard|e-card))
could also be written as:
(?i:receive.{0,50}(postcard|greeting|e.?card))
As you are checking anywhere you want to limit the amount of characters
between receive and the postcard etc. if you were using SUBJECT the .* would
be fine. Also the ecard|e-card is better written as e.?card that is
e.(anychar)?{0,1}card
Secondly (?i:ERMX) will produce false positives because of BASE64 encoding
which uses strings of "random" characters, it would be better to use the
word break which is \b so you could do it like (?i:\bERMX\b)
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 12:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests
UGGH, it always takes sending something to a LOT of people for you to see
how dumb you are...
I thought I had the postcard test (which is what I had been troubleshooting)
set up for "ANYWHERE", but it's just looking in the body and probably not
finding a match. It's been more common on the Subject.
Let me change that and report back!
Todd
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 10:59 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests
Hi David -
Yes, I just confirmed that I have 4.3.46. Below are two that I just put in.
By the way, I warn at 15, fail at 20, and delete at 45.
Thanks!
Todd
# for the postcard greetings that are going through (aka "You've received a
postcard from a Partner!")
BODY10 PCRE
(?i:receive.*(postcard|greeting|ecard|e-card))
# for the stock spam coming through for ERMX (aka "Stock Watch ERMX")
BODY20 PCRE(?i:ERMX)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Friday, July 06, 2007 10:18 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests
Todd,
Ensure you have version 4.3.46 of Declude. The format of an expression is:
LOCATIONWEIGHT PCRE(EXPRESSION)
Eg.
BODY5 PCRE(?i:Hello World)
Post some examples that you are using but not getting hits.
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 11:08 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] PCRE tests
Is there anything special that I need to have "turned on" to take advantage
of this? I've been playing around with it, and really like what it can do.
Being a complete newbie to regex, I've been using Regex Buddy to test the
expressions before putting them into "production". However, I'm not seeing
any hits in the emails.
I have not turned on logging (sorry!) but was wondering if I need to add any
additional information to the config files for this to be noticed, or if it
is by default. I am running the latest version.
Thanks!
Todd
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail&
RE: [Declude.JunkMail] PCRE tests
Hi Todd,
A couple of suggestions
(?i:receive.*(postcard|greeting|ecard|e-card))
could also be written as:
(?i:receive.{0,50}(postcard|greeting|e.?card))
As you are checking anywhere you want to limit the amount of characters
between receive and the postcard etc. if you were using SUBJECT the .* would
be fine. Also the ecard|e-card is better written as e.?card that is
e.(anychar)?{0,1}card
Secondly (?i:ERMX) will produce false positives because of BASE64 encoding
which uses strings of "random" characters, it would be better to use the
word break which is \b so you could do it like (?i:\bERMX\b)
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 12:15 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests
UGGH, it always takes sending something to a LOT of people for you to see
how dumb you are...
I thought I had the postcard test (which is what I had been troubleshooting)
set up for "ANYWHERE", but it's just looking in the body and probably not
finding a match. It's been more common on the Subject.
Let me change that and report back!
Todd
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 10:59 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests
Hi David -
Yes, I just confirmed that I have 4.3.46. Below are two that I just put in.
By the way, I warn at 15, fail at 20, and delete at 45.
Thanks!
Todd
# for the postcard greetings that are going through (aka "You've received a
postcard from a Partner!")
BODY10 PCRE
(?i:receive.*(postcard|greeting|ecard|e-card))
# for the stock spam coming through for ERMX (aka "Stock Watch ERMX")
BODY20 PCRE(?i:ERMX)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Friday, July 06, 2007 10:18 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests
Todd,
Ensure you have version 4.3.46 of Declude. The format of an expression is:
LOCATIONWEIGHT PCRE(EXPRESSION)
Eg.
BODY5 PCRE(?i:Hello World)
Post some examples that you are using but not getting hits.
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Friday, July 06, 2007 11:08 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] PCRE tests
Is there anything special that I need to have "turned on" to take advantage
of this? I've been playing around with it, and really like what it can do.
Being a complete newbie to regex, I've been using Regex Buddy to test the
expressions before putting them into "production". However, I'm not seeing
any hits in the emails.
I have not turned on logging (sorry!) but was wondering if I need to add any
additional information to the config files for this to be noticed, or if it
is by default. I am running the latest version.
Thanks!
Todd
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE tests
OK, it's working. Sorry for the false alarm! Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, July 06, 2007 11:15 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE tests UGGH, it always takes sending something to a LOT of people for you to see how dumb you are... I thought I had the postcard test (which is what I had been troubleshooting) set up for "ANYWHERE", but it's just looking in the body and probably not finding a match. It's been more common on the Subject. Let me change that and report back! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE tests
UGGH, it always takes sending something to a LOT of people for you to see how dumb you are... I thought I had the postcard test (which is what I had been troubleshooting) set up for "ANYWHERE", but it's just looking in the body and probably not finding a match. It's been more common on the Subject. Let me change that and report back! Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, July 06, 2007 10:59 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE tests Hi David - Yes, I just confirmed that I have 4.3.46. Below are two that I just put in. By the way, I warn at 15, fail at 20, and delete at 45. Thanks! Todd # for the postcard greetings that are going through (aka "You've received a postcard from a Partner!") BODY10 PCRE (?i:receive.*(postcard|greeting|ecard|e-card)) # for the stock spam coming through for ERMX (aka "Stock Watch ERMX") BODY20 PCRE(?i:ERMX) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, July 06, 2007 10:18 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE tests Todd, Ensure you have version 4.3.46 of Declude. The format of an expression is: LOCATIONWEIGHT PCRE(EXPRESSION) Eg. BODY5 PCRE(?i:Hello World) Post some examples that you are using but not getting hits. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, July 06, 2007 11:08 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE tests Is there anything special that I need to have "turned on" to take advantage of this? I've been playing around with it, and really like what it can do. Being a complete newbie to regex, I've been using Regex Buddy to test the expressions before putting them into "production". However, I'm not seeing any hits in the emails. I have not turned on logging (sorry!) but was wondering if I need to add any additional information to the config files for this to be noticed, or if it is by default. I am running the latest version. Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE tests
Yeah, just checked - it's there. :) Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, July 06, 2007 10:53 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE tests Also make sure there is the pcre3.dll in your imail folder. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, July 06, 2007 10:18 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE tests Todd, Ensure you have version 4.3.46 of Declude. The format of an expression is: LOCATIONWEIGHT PCRE(EXPRESSION) Eg. BODY5 PCRE(?i:Hello World) Post some examples that you are using but not getting hits. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, July 06, 2007 11:08 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE tests Is there anything special that I need to have "turned on" to take advantage of this? I've been playing around with it, and really like what it can do. Being a complete newbie to regex, I've been using Regex Buddy to test the expressions before putting them into "production". However, I'm not seeing any hits in the emails. I have not turned on logging (sorry!) but was wondering if I need to add any additional information to the config files for this to be noticed, or if it is by default. I am running the latest version. Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE tests
Hi David - Yes, I just confirmed that I have 4.3.46. Below are two that I just put in. By the way, I warn at 15, fail at 20, and delete at 45. Thanks! Todd # for the postcard greetings that are going through (aka "You've received a postcard from a Partner!") BODY10 PCRE (?i:receive.*(postcard|greeting|ecard|e-card)) # for the stock spam coming through for ERMX (aka "Stock Watch ERMX") BODY20 PCRE(?i:ERMX) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, July 06, 2007 10:18 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE tests Todd, Ensure you have version 4.3.46 of Declude. The format of an expression is: LOCATIONWEIGHT PCRE(EXPRESSION) Eg. BODY5 PCRE(?i:Hello World) Post some examples that you are using but not getting hits. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, July 06, 2007 11:08 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE tests Is there anything special that I need to have "turned on" to take advantage of this? I've been playing around with it, and really like what it can do. Being a complete newbie to regex, I've been using Regex Buddy to test the expressions before putting them into "production". However, I'm not seeing any hits in the emails. I have not turned on logging (sorry!) but was wondering if I need to add any additional information to the config files for this to be noticed, or if it is by default. I am running the latest version. Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE tests
Also make sure there is the pcre3.dll in your imail folder. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, July 06, 2007 10:18 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE tests Todd, Ensure you have version 4.3.46 of Declude. The format of an expression is: LOCATIONWEIGHT PCRE(EXPRESSION) Eg. BODY5 PCRE(?i:Hello World) Post some examples that you are using but not getting hits. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, July 06, 2007 11:08 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE tests Is there anything special that I need to have "turned on" to take advantage of this? I've been playing around with it, and really like what it can do. Being a complete newbie to regex, I've been using Regex Buddy to test the expressions before putting them into "production". However, I'm not seeing any hits in the emails. I have not turned on logging (sorry!) but was wondering if I need to add any additional information to the config files for this to be noticed, or if it is by default. I am running the latest version. Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE tests
Todd, Ensure you have version 4.3.46 of Declude. The format of an expression is: LOCATIONWEIGHT PCRE(EXPRESSION) Eg. BODY5 PCRE(?i:Hello World) Post some examples that you are using but not getting hits. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, July 06, 2007 11:08 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE tests Is there anything special that I need to have "turned on" to take advantage of this? I've been playing around with it, and really like what it can do. Being a complete newbie to regex, I've been using Regex Buddy to test the expressions before putting them into "production". However, I'm not seeing any hits in the emails. I have not turned on logging (sorry!) but was wondering if I need to add any additional information to the config files for this to be noticed, or if it is by default. I am running the latest version. Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] pcre code
You would have to test this but try:
BODY 0 PCRE (\(\r|\s){0,})
David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Thursday, June 21, 2007 11:19 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] pcre code
Does any one have any PCRE code that will detect empty HTML like:
Scott Fisher
Dir of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
Tel: 630-462-2323
This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by reply email and destroy all copies of the original message. Although Farm
Progress Companies has taken reasonable precautions to ensure no viruses are
present in this email, the company cannot accept responsibility for any loss
or damage arising from the use of this email or attachments.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE and REVDNS
Maximum line length in a filter is 1024 Characters David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, June 19, 2007 10:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS OK, now you have me thinking could I use PCRE to replace tons of body searches for my 419/Lottery filter... What is the maximum line length for a line in a filter? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 18, 2007 12:54 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE and REVDNS Just a quick tutorial. As PCRE is much quicker than using regular line matching I use the following when checking against REVDNS within filters: Regular Filter line: --- REVDNS -5 ENDSWITH.bigfootinteractive.com REVDNS -5 ENDSWITH.bluehornet.com REVDNS -5 ENDSWITH.constantcontact.com PCRE Filter line: --- REVDNS -5 PCRE (?i:\.(bigfootinteractive|bluehornet|constantcontact)\.com$) 1. The PCRE expression needs to be in parenthesis ( ) 2. ?i: indicates case in-sensitive 3. As . is a special character meaning any character we use the \ to indicate that it should just be a . 4. The | represents or 5.The $ is also a special character which used here indicates the end of a string The above PCRE will match any of the 3 from the regular filter. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE and REVDNS
I will add it but currently requires a separate username and password. I will see if I can get this done today. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, June 19, 2007 11:05 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] PCRE and REVDNS How about adding it to the downloads section? That seems easier than dealing with a lot of individual requests. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 19, 2007 10:42 AM Subject: RE: [Declude.JunkMail] PCRE and REVDNS Email me directly [EMAIL PROTECTED] as to keep the lists relevant -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, June 19, 2007 10:35 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS David, I would like a copy. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 19, 2007 9:15 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS I will have to check out the maximum line length and get back to you, I have modified most of the 419 filter if anyone (with a valid sa) would like a copy just let me know. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, June 19, 2007 10:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS OK, now you have me thinking could I use PCRE to replace tons of body searches for my 419/Lottery filter... What is the maximum line length for a line in a filter? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 18, 2007 12:54 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE and REVDNS Just a quick tutorial. As PCRE is much quicker than using regular line matching I use the following when checking against REVDNS within filters: Regular Filter line: --- REVDNS -5 ENDSWITH .bigfootinteractive.com REVDNS -5 ENDSWITH .bluehornet.com REVDNS -5 ENDSWITH .constantcontact.com PCRE Filter line: --- REVDNS -5 PCRE (?i:\.(bigfootinteractive|bluehornet|constantcontact)\.com$) 1. The PCRE expression needs to be in parenthesis ( ) 2. ?i: indicates case in-sensitive 3. As . is a special character meaning any character we use the \ to indicate that it should just be a . 4. The | represents or 5.The $ is also a special character which used here indicates the end of a string The above PCRE will match any of the 3 from the regular filter. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE and REVDNS
How about adding it to the downloads section? That seems easier than dealing with a lot of individual requests. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Tuesday, June 19, 2007 10:42 AM Subject: RE: [Declude.JunkMail] PCRE and REVDNS Email me directly [EMAIL PROTECTED] as to keep the lists relevant -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, June 19, 2007 10:35 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS David, I would like a copy. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 19, 2007 9:15 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS I will have to check out the maximum line length and get back to you, I have modified most of the 419 filter if anyone (with a valid sa) would like a copy just let me know. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, June 19, 2007 10:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS OK, now you have me thinking could I use PCRE to replace tons of body searches for my 419/Lottery filter... What is the maximum line length for a line in a filter? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 18, 2007 12:54 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE and REVDNS Just a quick tutorial. As PCRE is much quicker than using regular line matching I use the following when checking against REVDNS within filters: Regular Filter line: --- REVDNS -5 ENDSWITH .bigfootinteractive.com REVDNS -5 ENDSWITH .bluehornet.com REVDNS -5 ENDSWITH .constantcontact.com PCRE Filter line: --- REVDNS -5 PCRE (?i:\.(bigfootinteractive|bluehornet|constantcontact)\.com$) 1. The PCRE expression needs to be in parenthesis ( ) 2. ?i: indicates case in-sensitive 3. As . is a special character meaning any character we use the \ to indicate that it should just be a . 4. The | represents or 5.The $ is also a special character which used here indicates the end of a string The above PCRE will match any of the 3 from the regular filter. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE and REVDNS
Email me directly [EMAIL PROTECTED] as to keep the lists relevant -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Tuesday, June 19, 2007 10:35 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS David, I would like a copy. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 19, 2007 9:15 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS I will have to check out the maximum line length and get back to you, I have modified most of the 419 filter if anyone (with a valid sa) would like a copy just let me know. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, June 19, 2007 10:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS OK, now you have me thinking could I use PCRE to replace tons of body searches for my 419/Lottery filter... What is the maximum line length for a line in a filter? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 18, 2007 12:54 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE and REVDNS Just a quick tutorial. As PCRE is much quicker than using regular line matching I use the following when checking against REVDNS within filters: Regular Filter line: --- REVDNS -5 ENDSWITH.bigfootinteractive.com REVDNS -5 ENDSWITH.bluehornet.com REVDNS -5 ENDSWITH.constantcontact.com PCRE Filter line: --- REVDNS -5 PCRE (?i:\.(bigfootinteractive|bluehornet|constantcontact)\.com$) 1. The PCRE expression needs to be in parenthesis ( ) 2. ?i: indicates case in-sensitive 3. As . is a special character meaning any character we use the \ to indicate that it should just be a . 4. The | represents or 5.The $ is also a special character which used here indicates the end of a string The above PCRE will match any of the 3 from the regular filter. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE and REVDNS
David, I would like a copy. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, June 19, 2007 9:15 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS I will have to check out the maximum line length and get back to you, I have modified most of the 419 filter if anyone (with a valid sa) would like a copy just let me know. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, June 19, 2007 10:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS OK, now you have me thinking could I use PCRE to replace tons of body searches for my 419/Lottery filter... What is the maximum line length for a line in a filter? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 18, 2007 12:54 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE and REVDNS Just a quick tutorial. As PCRE is much quicker than using regular line matching I use the following when checking against REVDNS within filters: Regular Filter line: --- REVDNS -5 ENDSWITH.bigfootinteractive.com REVDNS -5 ENDSWITH.bluehornet.com REVDNS -5 ENDSWITH.constantcontact.com PCRE Filter line: --- REVDNS -5 PCRE (?i:\.(bigfootinteractive|bluehornet|constantcontact)\.com$) 1. The PCRE expression needs to be in parenthesis ( ) 2. ?i: indicates case in-sensitive 3. As . is a special character meaning any character we use the \ to indicate that it should just be a . 4. The | represents or 5.The $ is also a special character which used here indicates the end of a string The above PCRE will match any of the 3 from the regular filter. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE and REVDNS
I will have to check out the maximum line length and get back to you, I have modified most of the 419 filter if anyone (with a valid sa) would like a copy just let me know. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, June 19, 2007 10:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] PCRE and REVDNS OK, now you have me thinking could I use PCRE to replace tons of body searches for my 419/Lottery filter... What is the maximum line length for a line in a filter? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 18, 2007 12:54 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE and REVDNS Just a quick tutorial. As PCRE is much quicker than using regular line matching I use the following when checking against REVDNS within filters: Regular Filter line: --- REVDNS -5 ENDSWITH.bigfootinteractive.com REVDNS -5 ENDSWITH.bluehornet.com REVDNS -5 ENDSWITH.constantcontact.com PCRE Filter line: --- REVDNS -5 PCRE (?i:\.(bigfootinteractive|bluehornet|constantcontact)\.com$) 1. The PCRE expression needs to be in parenthesis ( ) 2. ?i: indicates case in-sensitive 3. As . is a special character meaning any character we use the \ to indicate that it should just be a . 4. The | represents or 5.The $ is also a special character which used here indicates the end of a string The above PCRE will match any of the 3 from the regular filter. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE and REVDNS
OK, now you have me thinking could I use PCRE to replace tons of body searches for my 419/Lottery filter... What is the maximum line length for a line in a filter? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 18, 2007 12:54 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] PCRE and REVDNS Just a quick tutorial. As PCRE is much quicker than using regular line matching I use the following when checking against REVDNS within filters: Regular Filter line: --- REVDNS -5 ENDSWITH.bigfootinteractive.com REVDNS -5 ENDSWITH.bluehornet.com REVDNS -5 ENDSWITH.constantcontact.com PCRE Filter line: --- REVDNS -5 PCRE (?i:\.(bigfootinteractive|bluehornet|constantcontact)\.com$) 1. The PCRE expression needs to be in parenthesis ( ) 2. ?i: indicates case in-sensitive 3. As . is a special character meaning any character we use the \ to indicate that it should just be a . 4. The | represents or 5.The $ is also a special character which used here indicates the end of a string The above PCRE will match any of the 3 from the regular filter. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE
Don't take it the wrong way. While we're a bit frustrated at having to wait so long for a stable product that doesn't have any loss of functionality, Kevin Gillis has done a very good job of righting the product management ship at Ipswitch, and is treating customers well. If we can get a stable product soon, we'll be very happy despite the wait. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 3:05 PM Subject: RE: [Declude.JunkMail] PCRE Phew! For a moment there I thought Declude was the only software company in the world to have issues and then make customers wait a year and a half for a solution, I guess one consolation is we don't charge you as much to do so :) David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, May 10, 2007 2:59 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] PCRE For those on IMail, the focus right now is probably on getting a stable and fully functional mail server again. IMail 2006.21 preview 1 was just released to hopefully address most, if not all, of the problems with 2006, but it was just posted that those with virtual domains should wait for preview 2 due to a problem with preview 1. Still waiting after a year and a half. Hope there's a light at the end of the tunnel soon. But that's probably at least part of what's making it quieter here... Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 2:28 PM Subject: [Declude.JunkMail] PCRE Ok, either everyone has left or everyone is very happy because it is kind of quite. So I thought I would post something: Using PCRE here is an expression that will only match a valid IP address. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9] ?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][ 0-9]?) I guess this is useful for several reasons, currently I am just using it see if there is an IP in the REVDNS entry. Any thoughts on how this could be effectivley used ? David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE
I'm an excellent coffee maker, thank you! I feel drippy all day which helps :) If you have any further questions, please do not hesitate to contact me either by email or call Toll free 1-866-332-5833 Ext.7008 Linda Pagillo Technical Support Engineer | Declude Your Email Security is our business Office: 978.499.2933 x7008 Toll Free: 1-866.332.5833 x7008 Fax: 978.334.0700 Email: [EMAIL PROTECTED] - Original Message - From: "John T (lists)" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 2:08 PM Subject: RE: [Declude.JunkMail] PCRE > Linda, thanks for the Laugh. > > How are you at making coffee? I haven't had my morning cup yet. > > OOPS, mornings over already. > > John T > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Linda Pagillo > > Sent: Thursday, May 10, 2007 11:59 AM > > To: declude.junkmail@declude.com > > Subject: Re: [Declude.JunkMail] PCRE > > > > I'm here with you David. No need to feel alone :) > > > > If you have any further questions, please do not hesitate to contact me > > either by email or call Toll free 1-866-332-5833 Ext.7008 > > > > Linda Pagillo > > Technical Support Engineer | Declude > > > > Your Email Security is our business > > > > Office: 978.499.2933 x7008 > > Toll Free: 1-866.332.5833 x7008 > > Fax: 978.334.0700 > > Email: [EMAIL PROTECTED] > > - Original Message - > > From: "David Barker" <[EMAIL PROTECTED]> > > To: > > Sent: Thursday, May 10, 2007 1:28 PM > > Subject: [Declude.JunkMail] PCRE > > > > > > > Ok, either everyone has left or everyone is very happy because it is > > kind > > of > > > quite. So I thought I would post something: > > > > > > Using PCRE here is an expression that will only match a valid IP > > address. > > > > > > > > (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0- > > 9][0-9] > > > > > ?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0- > > 9]|[01]?[0-9][ > > > 0-9]?) > > > > > > I guess this is useful for several reasons, currently I am just using > > it > > see > > > if there is an IP in the REVDNS entry. Any thoughts on how this could > > be > > > effectivley used ? > > > > > > David Barker > > > VP Operations | Declude > > > Your Email Security is our business > > > O: 978.499.2933 x7007 > > > F: 978.988.1311 > > > E: [EMAIL PROTECTED] > > > > > > > > > > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE
Linda, thanks for the Laugh. How are you at making coffee? I haven't had my morning cup yet. OOPS, mornings over already. John T > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Linda Pagillo > Sent: Thursday, May 10, 2007 11:59 AM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] PCRE > > I'm here with you David. No need to feel alone :) > > If you have any further questions, please do not hesitate to contact me > either by email or call Toll free 1-866-332-5833 Ext.7008 > > Linda Pagillo > Technical Support Engineer | Declude > > Your Email Security is our business > > Office: 978.499.2933 x7008 > Toll Free: 1-866.332.5833 x7008 > Fax: 978.334.0700 > Email: [EMAIL PROTECTED] > - Original Message - > From: "David Barker" <[EMAIL PROTECTED]> > To: > Sent: Thursday, May 10, 2007 1:28 PM > Subject: [Declude.JunkMail] PCRE > > > > Ok, either everyone has left or everyone is very happy because it is > kind > of > > quite. So I thought I would post something: > > > > Using PCRE here is an expression that will only match a valid IP > address. > > > > > (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0- > 9][0-9] > > > ?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0- > 9]|[01]?[0-9][ > > 0-9]?) > > > > I guess this is useful for several reasons, currently I am just using > it > see > > if there is an IP in the REVDNS entry. Any thoughts on how this could > be > > effectivley used ? > > > > David Barker > > VP Operations | Declude > > Your Email Security is our business > > O: 978.499.2933 x7007 > > F: 978.988.1311 > > E: [EMAIL PROTECTED] > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE
Phew! For a moment there I thought Declude was the only software company in the world to have issues and then make customers wait a year and a half for a solution, I guess one consolation is we don't charge you as much to do so :) David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, May 10, 2007 2:59 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] PCRE For those on IMail, the focus right now is probably on getting a stable and fully functional mail server again. IMail 2006.21 preview 1 was just released to hopefully address most, if not all, of the problems with 2006, but it was just posted that those with virtual domains should wait for preview 2 due to a problem with preview 1. Still waiting after a year and a half. Hope there's a light at the end of the tunnel soon. But that's probably at least part of what's making it quieter here... Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 2:28 PM Subject: [Declude.JunkMail] PCRE Ok, either everyone has left or everyone is very happy because it is kind of quite. So I thought I would post something: Using PCRE here is an expression that will only match a valid IP address. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9] ?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][ 0-9]?) I guess this is useful for several reasons, currently I am just using it see if there is an IP in the REVDNS entry. Any thoughts on how this could be effectivley used ? David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE
For those on IMail, the focus right now is probably on getting a stable and fully functional mail server again. IMail 2006.21 preview 1 was just released to hopefully address most, if not all, of the problems with 2006, but it was just posted that those with virtual domains should wait for preview 2 due to a problem with preview 1. Still waiting after a year and a half. Hope there's a light at the end of the tunnel soon. But that's probably at least part of what's making it quieter here... Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 2:28 PM Subject: [Declude.JunkMail] PCRE Ok, either everyone has left or everyone is very happy because it is kind of quite. So I thought I would post something: Using PCRE here is an expression that will only match a valid IP address. (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9] ?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][ 0-9]?) I guess this is useful for several reasons, currently I am just using it see if there is an IP in the REVDNS entry. Any thoughts on how this could be effectivley used ? David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE
I'm here with you David. No need to feel alone :) If you have any further questions, please do not hesitate to contact me either by email or call Toll free 1-866-332-5833 Ext.7008 Linda Pagillo Technical Support Engineer | Declude Your Email Security is our business Office: 978.499.2933 x7008 Toll Free: 1-866.332.5833 x7008 Fax: 978.334.0700 Email: [EMAIL PROTECTED] - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 1:28 PM Subject: [Declude.JunkMail] PCRE > Ok, either everyone has left or everyone is very happy because it is kind of > quite. So I thought I would post something: > > Using PCRE here is an expression that will only match a valid IP address. > > (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9] > ?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][ > 0-9]?) > > I guess this is useful for several reasons, currently I am just using it see > if there is an IP in the REVDNS entry. Any thoughts on how this could be > effectivley used ? > > David Barker > VP Operations | Declude > Your Email Security is our business > O: 978.499.2933 x7007 > F: 978.988.1311 > E: [EMAIL PROTECTED] > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE FILTERING
Here are some web pages you might check out: http://www.cecilw.com/eudora/regexp.htm http://www.adamlyon.com/spam/spam_filter_regex.html http://www.adamlyon.com/spam/afo.txt http://trac.edgewall.org/wiki/BadContent http://www.regexlib.com/ Hopefully at some point Declude will post a list of good examples on their web site. Gary Original Message > From: John Olden <[EMAIL PROTECTED]> > Sent: Friday, March 16, 2007 4:58 PM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] PCRE FILTERING > > Would anyone be willing to share their regular expressions files (lines) > with the group? > I know this will be a valuable addition to Declude but most of us don't > want to (or know how to) re-invent the wheel. > Thanks. > -- > John Olden - Technology Manager > Champaign Park District > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE FILTERING
Would anyone be willing to share their regular expressions files (lines) with the group? I know this will be a valuable addition to Declude but most of us don't want to (or know how to) re-invent the wheel. Thanks. -- John Olden - Technology Manager Champaign Park District --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE FILTERING
Just to clarify a bit on this, there is the conundrum regarding text or HTML base64 encoded attachments and other types of attachments where you want to search the text and HTML stuff in decoded format, but not the image, application and other MIME types. It is however less common to obfuscate with base64 encoding these days, so even without supporting encoded text or HTML would still be of benefit. It certainly could be done to support them though with a little extra work to look at the MIME types. Matt John T (lists) wrote: This was an old, old feature request/bug fix from back in the Scott days, where it was desired not include encoded base64 I requested this as a change long ago for two reasons: 1) To avoid false positives where search text matches the MIME or UUENCODE formatting 2) To provide an instant speed up in BODY and ANYWHERE processing because Declude has less text to match, in particular when MIME encoding text is being searched for, say, an encoded PDF, DOC or JPG. It may also have the additional benefit of being more accurate: 3) To provide for fewer false negatives, because the string size is more complete with the body text. Giving a third to what Andrew and Matt have said, I have a client that deals in electronic parts. Electronic part numbers take on all forms of sequences and not being able to limit body searches to non-base64 encoding which is primarily attachments has caused a lot of extra work on my part constantly having to make adjustments to counter this problem. Being able to have BODY not include attachments is coming to the point where it is no longer a feature but a requirement. John T --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE FILTERING
> > This was an old, old feature request/bug fix from back in the > > Scott days, where it was desired not include encoded base64 > > I requested this as a change long ago for two reasons: > > 1) To avoid false positives where search text matches the MIME or UUENCODE > formatting > > 2) To provide an instant speed up in BODY and ANYWHERE processing because > Declude has less text to match, in particular when MIME encoding text is > being searched for, say, an encoded PDF, DOC or JPG. > > It may also have the additional benefit of being more accurate: > > 3) To provide for fewer false negatives, because the string size is more > complete with the body text. Giving a third to what Andrew and Matt have said, I have a client that deals in electronic parts. Electronic part numbers take on all forms of sequences and not being able to limit body searches to non-base64 encoding which is primarily attachments has caused a lot of extra work on my part constantly having to make adjustments to counter this problem. Being able to have BODY not include attachments is coming to the point where it is no longer a feature but a requirement. John T --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE FILTERING
> This was an old, old feature request/bug fix from back in the
> Scott days, where it was desired not include encoded base64
I requested this as a change long ago for two reasons:
1) To avoid false positives where search text matches the MIME or UUENCODE
formatting
2) To provide an instant speed up in BODY and ANYWHERE processing because
Declude has less text to match, in particular when MIME encoding text is being
searched for, say, an encoded PDF, DOC or JPG.
It may also have the additional benefit of being more accurate:
3) To provide for fewer false negatives, because the string size is more
complete with the body text.
I don't know how it was truly programmed, but the operational explanation from
Scott years ago, Declude decodes the message and strips various formattings,
concatenates it all into a very large string, and that is what the BODY and
ANYWHERE filters search against.
This lets Declude do a BODY match where the text is obfuscated inside of HTML,
because the HTML tags are stripped, and likewise, should catch a phrase which
is split by a linefeed.
I recognized that this was a major coding change, but I thought it would be
beneficial for power users to specify the "layer" at which the text searching
is done, e.g.
Message(Original message format with all the warts)
MessageFixed (Illegal characters stripped and line formats fixed)
MessageDecoded (MIME and UUENCODE converted back to 8 bit ASCII)
Text (Only the text attachments specified, not graphics
and not documents or other binary attachments)
TextStripped (HTML stripped out, white space collapsed)
I've removed HTML deobfuscation as a layer to this onion, as that is too
specfic of a spammer technique, and is adequately covered by creative PCRE if
the last two text layers are available.
The MessageDecoded layer might is probably sufficiently represented by just the
bones of the message, the text that makes up the framework of the message such
as the header lines and the MIME Content-Type and boundary lines, without the
actual text contents and without the attachments.
In the many years that I've used Declude (and been preceeded by power users
such as Sandy, Matt, and John [and superseded by Scott]) nobody has ever wanted
to match text against the representation of an attachment, e.g. to match text
against the representation of an executable, a specific virus, or the header of
a TIFF file.
Andrew.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Matt
> Sent: Wednesday, March 14, 2007 9:21 AM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] PCRE FILTERING
>
> Dave,
>
> This was an old, old feature request/bug fix from back in the
> Scott days, where it was desired not include encoded base64
> content on BODY searches (decoded content was desired). The
> work around for this it to add a separator to the end of the
> filter such as a period, comma, space, tab, or left HTML bracket.
>
> It would also help to specify what format the BODY data would
> come in, for instance is a line break in the original
> processed by the regular expression as a line break? It
> would be hugely beneficial to regular expressions to take the
> BODY content and strip out all line breaks, replacing them
> with spaces for the purpose of filtering with regex.
> Maybe it is time to create another variable for body content
> that is more regex friendly? That should be easy enough to do.
>
> Matt
>
>
>
> David Barker wrote:
> > We can certainly look at doing something like that,
> currently I am using
> > this line:
> >
> > BODYEND CONTAINS
> Content-Transfer-Encoding: base64
> >
> > David
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Scott
> > Fisher
> > Sent: Wednesday, March 14, 2007 10:15 AM
> > To: declude.junkmail@declude.com
> > Subject: Re: [Declude.JunkMail] PCRE FILTERING
> >
> > I'm seeing hits in the attachments too.
> > Triggered ANYWHERE PCRE filter REGEX-KEYWORDS :
> vHXAH51eG1ujzM (valium)
> >
> > It would be real nice to be able to search the body without
> the attachments
> > like this.
> > BODYONLY 25 PCRE
> > (?i:v.{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}[vu].{0,2}m)
> >
> > Being able to search the body without the attachments would
> also be a time
> > saver on those BODY filters.
> >
> >
> >
> > - Original Message -
> > From: "David Barker" <[EMAIL PROTECTED]>
> > To:
> > Sent: Tuesday, March 13, 2007 11:24 AM
> > Subject: [Declude.Junk
Re: [Declude.JunkMail] PCRE FILTERING
Dave,
This was an old, old feature request/bug fix from back in the Scott
days, where it was desired not include encoded base64 content on BODY
searches (decoded content was desired). The work around for this it to
add a separator to the end of the filter such as a period, comma, space,
tab, or left HTML bracket.
It would also help to specify what format the BODY data would come in,
for instance is a line break in the original processed by the regular
expression as a line break? It would be hugely beneficial to regular
expressions to take the BODY content and strip out all line breaks,
replacing them with spaces for the purpose of filtering with regex.
Maybe it is time to create another variable for body content that is
more regex friendly? That should be easy enough to do.
Matt
David Barker wrote:
We can certainly look at doing something like that, currently I am using
this line:
BODYEND CONTAINSContent-Transfer-Encoding: base64
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Wednesday, March 14, 2007 10:15 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] PCRE FILTERING
I'm seeing hits in the attachments too.
Triggered ANYWHERE PCRE filter REGEX-KEYWORDS : vHXAH51eG1ujzM (valium)
It would be real nice to be able to search the body without the attachments
like this.
BODYONLY 25 PCRE
(?i:v.{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}[vu].{0,2}m)
Being able to search the body without the attachments would also be a time
saver on those BODY filters.
- Original Message -
From: "David Barker" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, March 13, 2007 11:24 AM
Subject: [Declude.JunkMail] PCRE FILTERING
Wanted to give a sample of how the new Regular Expressions are identifying
patterns, here is a log snip on a few patterns for Drugs:
ANYWHERE PCRE filter FILTER-DRUGS : C1al.is [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : C1alis is [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cia1is s [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cial1s S [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cialiis [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : CIALIS [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cialis S [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : H,G,H [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : HGH [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Human Growth Hormone [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : HxGxH [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Leviitra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levitra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levitra a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levltra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : v!Agr@ a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : V_I_A_G_R_A [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : v|aGR@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : V1agr@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : V1agra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Val1um [weight -> 1]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED]@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Vi[agra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Via gra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagr@ a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagra a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagraa [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : VlAGR@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : VlAGRA [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Xanax [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Xanaxx [weight -> 5]
These are the expressions I am using - as I am still on a learning curve
these expressions may be improved and become more accurate While testing I
score relatively low just in case of FP's. I use a tool called baregrep
http://www.baremetalsoft.com/baregrep/ which speeds through huge DEBUG logs
pulling out entries I am looking for. Hope this helps get you started with
PCRE, I think the Declude community can recieve great value from sharing
this type of info.
#CIALIS
ANYWHERE 3 PCRE
(?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}s)
#HGH
ANYWHERE 5 PCRE (?i:\b(?:human growth
hormone|(?-i:HGH)|H.G.H)\b)
#LEVITRA
ANYWHERE 5 PCRE
(?i:\bl.{0,2}e.{0,2}v.{0,2}[\|li1í\!].{0,2}t.{0,2}r.{0,[EMAIL PROTECTED])
#VIAGRA
ANYWHERE 5 PCRE
(?i:v.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}g.{0,2}r.{0,[EMAIL PROTECTED])
#XANAX
ANYWHERE 5 PCRE (?i:x.{0,[EMAIL PROTECTED],2}n.{0,[EMAIL PROTECTED],2}x)
David
RE: [Declude.JunkMail] PCRE FILTERING
I find the CIALIS on it's own does tend to match on some weird combos more
than the other drugs give this one a try:
BODY5 PCRE
(?im:c.{0,2}[\|li1í\!].{0,[EMAIL
PROTECTED],2}[\|li1í\!].{0,2}[\|li1í\!].{0,2}s+.{0,
30}?(\$\d{1,4}(\.|,)\d{1,4}))
Basically looking for Cialis with some sort of $ amount
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Wednesday, March 14, 2007 10:17 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] PCRE FILTERING
also:
Capital Firms
cycle analysis
- Original Message -
From: "Nick Hayer" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, March 14, 2007 8:14 AM
Subject: Re: [Declude.JunkMail] PCRE FILTERING
> fyi -
>> #CIALIS
>> ANYWHERE 3 PCRE
>> (?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL
>> PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}s)
>>
>>
> This one will false positive onclassifieds
>
> -Nick
>
>
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
>
>
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE FILTERING
We can certainly look at doing something like that, currently I am using
this line:
BODYEND CONTAINSContent-Transfer-Encoding: base64
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Wednesday, March 14, 2007 10:15 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] PCRE FILTERING
I'm seeing hits in the attachments too.
Triggered ANYWHERE PCRE filter REGEX-KEYWORDS : vHXAH51eG1ujzM (valium)
It would be real nice to be able to search the body without the attachments
like this.
BODYONLY 25 PCRE
(?i:v.{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}[vu].{0,2}m)
Being able to search the body without the attachments would also be a time
saver on those BODY filters.
- Original Message -
From: "David Barker" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, March 13, 2007 11:24 AM
Subject: [Declude.JunkMail] PCRE FILTERING
Wanted to give a sample of how the new Regular Expressions are identifying
patterns, here is a log snip on a few patterns for Drugs:
ANYWHERE PCRE filter FILTER-DRUGS : C1al.is [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : C1alis is [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cia1is s [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cial1s S [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cialiis [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : CIALIS [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cialis S [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : H,G,H [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : HGH [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Human Growth Hormone [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : HxGxH [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Leviitra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levitra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levitra a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levltra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : v!Agr@ a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : V_I_A_G_R_A [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : v|aGR@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : V1agr@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : V1agra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Val1um [weight -> 1]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED]@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Vi[agra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Via gra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagr@ a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagra a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagraa [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : VlAGR@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : VlAGRA [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Xanax [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Xanaxx [weight -> 5]
These are the expressions I am using - as I am still on a learning curve
these expressions may be improved and become more accurate While testing I
score relatively low just in case of FP's. I use a tool called baregrep
http://www.baremetalsoft.com/baregrep/ which speeds through huge DEBUG logs
pulling out entries I am looking for. Hope this helps get you started with
PCRE, I think the Declude community can recieve great value from sharing
this type of info.
#CIALIS
ANYWHERE 3 PCRE
(?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}s)
#HGH
ANYWHERE 5 PCRE (?i:\b(?:human growth
hormone|(?-i:HGH)|H.G.H)\b)
#LEVITRA
ANYWHERE 5 PCRE
(?i:\bl.{0,2}e.{0,2}v.{0,2}[\|li1í\!].{0,2}t.{0,2}r.{0,[EMAIL PROTECTED])
#VIAGRA
ANYWHERE 5 PCRE
(?i:v.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}g.{0,2}r.{0,[EMAIL PROTECTED])
#XANAX
ANYWHERE 5 PCRE (?i:x.{0,[EMAIL PROTECTED],2}n.{0,[EMAIL PROTECTED],2}x)
David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE FILTERING
also:
Capital Firms
cycle analysis
- Original Message -
From: "Nick Hayer" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, March 14, 2007 8:14 AM
Subject: Re: [Declude.JunkMail] PCRE FILTERING
fyi -
#CIALIS
ANYWHERE 3 PCRE
(?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}s)
This one will false positive onclassifieds
-Nick
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE FILTERING
I'm seeing hits in the attachments too.
Triggered ANYWHERE PCRE filter REGEX-KEYWORDS : vHXAH51eG1ujzM (valium)
It would be real nice to be able to search the body without the attachments
like this.
BODYONLY 25 PCRE
(?i:v.{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}[vu].{0,2}m)
Being able to search the body without the attachments would also be a time
saver on those BODY filters.
- Original Message -
From: "David Barker" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, March 13, 2007 11:24 AM
Subject: [Declude.JunkMail] PCRE FILTERING
Wanted to give a sample of how the new Regular Expressions are identifying
patterns, here is a log snip on a few patterns for Drugs:
ANYWHERE PCRE filter FILTER-DRUGS : C1al.is [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : C1alis is [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cia1is s [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cial1s S [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cialiis [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : CIALIS [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Cialis S [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : H,G,H [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : HGH [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Human Growth Hormone [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : HxGxH [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Leviitra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levitra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levitra a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Levltra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : v!Agr@ a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : V_I_A_G_R_A [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : v|aGR@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : V1agr@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : V1agra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Val1um [weight -> 1]
ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED]@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Vi[agra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Via gra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagr@ a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagra [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagra a [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Viagraa [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : VlAGR@ [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : VlAGRA [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Xanax [weight -> 5]
ANYWHERE PCRE filter FILTER-DRUGS : Xanaxx [weight -> 5]
These are the expressions I am using - as I am still on a learning curve
these expressions may be improved and become more accurate While testing I
score relatively low just in case of FP's. I use a tool called baregrep
http://www.baremetalsoft.com/baregrep/ which speeds through huge DEBUG logs
pulling out entries I am looking for. Hope this helps get you started with
PCRE, I think the Declude community can recieve great value from sharing
this type of info.
#CIALIS
ANYWHERE 3 PCRE
(?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}s)
#HGH
ANYWHERE 5 PCRE (?i:\b(?:human growth
hormone|(?-i:HGH)|H.G.H)\b)
#LEVITRA
ANYWHERE 5 PCRE
(?i:\bl.{0,2}e.{0,2}v.{0,2}[\|li1í\!].{0,2}t.{0,2}r.{0,[EMAIL PROTECTED])
#VIAGRA
ANYWHERE 5 PCRE
(?i:v.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}g.{0,2}r.{0,[EMAIL PROTECTED])
#XANAX
ANYWHERE 5 PCRE (?i:x.{0,[EMAIL PROTECTED],2}n.{0,[EMAIL PROTECTED],2}x)
David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE FILTERING
Yes I noticed that is why I used 3 rather than 5 as for the others, I guess
one way to deal with this would be:
#FP ADJUSTMENTS
ANYWHERE-3 CONTAINSclassifieds
Or
ANYWHEREEND CONTAINSclassifieds
David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick
Hayer
Sent: Wednesday, March 14, 2007 9:14 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] PCRE FILTERING
fyi -
> #CIALIS
> ANYWHERE 3 PCRE
> (?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}
> s)
>
>
This one will false positive onclassifieds
-Nick
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE FILTERING
fyi -
#CIALIS
ANYWHERE3 PCRE
(?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}s)
This one will false positive onclassifieds
-Nick
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
