Re: spamd vs. builtin SA (was Re: [Mimedefang] Patch: adding custom headers for SpamAssassin)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 23 Nov 2006, Jan-Pieter Cornet wrote: Do you use spamc to connect to spamd or have you re-implemented the protocol in Perl? Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iQEVAwUBRWatzOgJIbZtwg6XAQIX9Qf/TrsPlVHmK4M5zYQ4cNFTISZlHEfXCyO1 ZQ1xge7WsiK7lGvbof0F0DmWU7Oyn7UOD1Ltp45Jm/cvugjnqAcvnuwPqAagh2PX tA8ji4AG10mllnWIsjeMxEtx9XLUvaOTnYWZypXknKFtntguHUO1x7JXonNx2qFR csHaPILn5+WX/N2ZIrV8cuE93NPjoOxuB72XHUdUOxfggnl9jG5f+SLvctAO5rdt HHj7GfAp9gaGyLqhdYgbxXulxdhszZxmOSDeEVNNgruPR5ckMsbaIrFzh8M0k1kX rlp9EW/y1+n1hID52PpvLjA9utBC+2RMykg3ZHNx+RYv/Z3cwes3/g== =ks7q -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skipping SA on TLSMTA connections?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 23 Nov 2006, John Rudd wrote: Philip Prindeville wrote: dnl # The following causes sendmail to additionally listen to port 465, but dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS dnl # and doesn't support the deprecated smtps; Evolution 1.1.1 uses smtps dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1. dnl # dnl # For this to work your OpenSSL certificates must be configured. dnl # dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl dnl # That's kind of funny. starting immediately in TLS mode is not TLS. It's SSL. They should have named that SSLMTA not TLSMTA. But that's just me being picky. I wouldn't dnl it. I might change the Name, but you don't really have to disable it. Last time I tried, sentmail did not recognize a SSL connection, I had to use stunnel to wrap the connection. Insofar, it makes no sense. Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iQEVAwUBRWauIegJIbZtwg6XAQIyfgf/a98PaNSx5Y3RX4Yht3d4t8RqUmGjjeh/ UtToK/tsWnI5e0gaB2nBFQANTaY3wS4NBREala1NM74I/5+Sj1/+AgWB2HliTag5 j8ZGBcdpgbM1lUvu7S/SaKgY5oGvr/yW3lCG9uR+D0kuq5O2pgyy7UjuOy8I6kIG 5f9jpuJv1UxQai1xn2ZTd2RoacoPMJMC/5ezDr9lzYPJRwlSExSPY/sh+gOW5oHO yLlpX2C+GHEi7Wc0jyENGmw81i4BsdCZ0hGQIEW3ALQMpY97+pwL21hnu3H6H4uo 8GeWZ8H7f2kSbvNzYIoXy006LEGcyoC7mBiVOlSxycHUK0z+k9SIyg== =pPzv -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skipping SA on TLSMTA connections?
On Wed, 22 Nov 2006, Philip Prindeville wrote: if ( $Features{SpamAssassin} $SendmailMacros{'daemon_name'} ne 'TLSMTA' ) I use: if ( $Features{SpamAssassin} (!defined($SendmailMacros{'auth_type'})) ($RelayAddr ne 127.0.0.1) ) This 'auth_type' check was suggested on this list some time ago. This is more portable than 'deamon_name' check. And if a message is already on my server I assume it is not spam. There is a small problem with this approach - Bayes database do not learn phrases and words used in e-mail sent by your own users. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: spamd vs. builtin SA (was Re: [Mimedefang] Patch: adding custom headers for SpamAssassin)
On Fri, Nov 24, 2006 at 09:31:05AM +0100, Steffen Kaiser wrote: Do you use spamc to connect to spamd or have you re-implemented the protocol in Perl? I use spamc. It's a pretty small binary. The spamc-spamd protocol isn't defined, where the spamc interface is properly defined, so I didn't want to mess with undocumented non-forward compatibility issues. If I ever suggested that it's better to re-implement spamc in perl (I seem to recall I did), then that was based on the assumption that the spamd protocol was documented and easy. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skipping SA on TLSMTA connections?
On Fri, 24 Nov 2006, Tomasz Ostrowski wrote: if ( $Features{SpamAssassin} (!defined($SendmailMacros{'auth_type'})) ($RelayAddr ne 127.0.0.1) ) This 'auth_type' check was suggested on this list some time ago. This is more portable than 'deamon_name' check. And if a message is already on my server I assume it is not spam. There is a small problem with this approach - Bayes database do not learn phrases and words used in e-mail sent by your own users. Is that a problem if you don't scan these messages anyway? Regards, Kees. -- Kees Theunissen F.O.M.-Institute for Plasma Physics Rijnhuizen, Nieuwegein, Netherlands E-mail: [EMAIL PROTECTED], Tel: (+31|0)306096724, Fax: (+31|0)306031204 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: spamd vs. builtin SA (was Re: [Mimedefang] Patch: adding custom headers for SpamAssassin)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 24 Nov 2006, Jan-Pieter Cornet wrote: I was just wondering, because you shell-out one program per scan now. I was hoping that there is another way to connect to spamd. Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iQEVAwUBRWbe+ugJIbZtwg6XAQIdawf+MWCPNW0wnIQHZFebtsf7f0rJ6AO6HZjX qctrGOVGVWdaVN4C9pSSkSAXFTpiinHmPismJiFQ42CWOv1TtblZoyj7UDFf4E0y neKYdnBqBX8aJlEknpM7t1NtlsNFVEIYss7LlFJwTgRWO7Swfq9N6soW2PLirQ1e qQXULukr6LPcL999h9DQF+MvFuzy/mGcXtD6+lhfy2os6iXAFTmHUL/4+DqIfQtK XVE79a8NwdfCSiq606N1rYVKzG737RgM25EHMmz0fybuEGuo4zU578DBVl9YTS0M abigcUxrUiQThIW+q3q5/jFabmM2p12NfrRIhOLqgDRPn3NOyfD9OQ== =jwVl -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
Hi, In the ever-escalating war, I'm having problems with some spammers sending stock scams with large chunks of random text either side, and while I'm updating my SA rules daily, I never seem able to keep ahead of the game with these. Eventually DCC and Razor2 catch up, but the first couple of hours is always a problem and I end up cobbling together my own rules to block specific spams. I've been considering alternative approaches, and one which seems attractive on the surface is to further analyse the message headers for indications of spammyness - we've already got the Received headers, the sender and recipient, and the Subject covered, but can the others be used to provide an indication that the content is spam? SA already considers some of these in deciding things like whether the message claims to be sent using Outlook but doesn't have the correct headers to support this claim, but this is highly specific and not generally very helpful. I decided to look at the X-Mailer and X-MIMEOLE headers specifically, and to extract these in a fairly ad-hoc way for each message, and then add the details of the message, SA score, and mailer to a database table. I'd then propose to adjust the SA score based on an analysis of the history data. The adjustment would be equal to 10% of (the mean score minus one standard deviation), so a small offset in most cases. Obviously my policy is up to me, so no-one has to do this, but I thought I'd share my thoughts and experiences. Applying this across a day's worth of traffic here produces some promising results: select count(*) as cnt, round(sum(score),2) as total, round(avg(score),2) as mean, round(min(score),2) as min, round(stddev(score),2) as stddev, round((avg(score)-stddev(score))/10,2) as adj, left(mailer,50) as mailer from mail_msg where mailer is not null group by left(mailer,50) order by mean; +-+-++-++---++ | cnt | total | mean | min | stddev | adj | mailer | +-+-++-++---++ | 1 | -11.43 | -11.43 | -11.43 | 0.00 | -1.14 | StrongMail Enterprise 3.1.5(2.00.223) | | 22 | -226.31 | -10.29 | -101.21 | 28.81 | -3.91 | Microsoft CDO for Windows 2000 | | 4 | -16.95 | -4.24 | -5.23 | 0.80 | -0.50 | Kana Connect 6 | | 2 | -5.65 | -2.82 | -2.97 | 0.15 | -0.30 | Roving Constant Contact 0 (http//www.constantconta | | 1 | -2.60 | -2.60 | -2.60 | 0.00 | -0.26 | Microsoft Outlook, Build 10.0.6626 | | 1 | -2.60 | -2.60 | -2.60 | 0.00 | -0.26 | Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) | | 4 | -10.05 | -2.51 | -2.58 | 0.04 | -0.25 | Novell GroupWise Internet Agent 6.5.4 | | 1 | -2.51 | -2.51 | -2.51 | 0.00 | -0.25 | Lotus Notes Release 6.5.1 January 21, 2004 | | 1 | -2.47 | -2.47 | -2.47 | 0.00 | -0.25 | BBC EBS Custom Mailer v2 | | 1 | -2.46 | -2.46 | -2.46 | 0.00 | -0.25 | Microsoft Outlook, Build 10.0.4024 | | 2 | -4.76 | -2.38 | -2.41 | 0.03 | -0.24 | Lotus Notes Release 6.5.4 March 27, 2005 | | 1 | -2.35 | -2.35 | -2.35 | 0.00 | -0.23 | Apple Mail (2.750) | | 1 | -2.33 | -2.33 | -2.33 | 0.00 | -0.23 | GlobalCrossing | | 1 | -2.30 | -2.30 | -2.30 | 0.00 | -0.23 | Internet Mail Service (5.5.2658.27)| | 4 | -8.95 | -2.24 | -2.34 | 0.08 | -0.23 | Internet Mail Service (5.5.2653.19)| | 6 | -13.27 | -2.21 | -2.53 | 0.44 | -0.26 | Microsoft Office Outlook 11| | 7 | -14.66 | -2.09 | -2.50 | 0.50 | -0.26 | Microsoft Exchange V6.0.6603.0 | | 10 | -19.32 | -1.93 | -2.22 | 0.12 | -0.21 | Internet Mail Service (5.5.2658.3) | | 2 | -3.85 | -1.92 | -1.93 | 0.01 | -0.19 | Microsoft MimeOLE V6.00.3790.504 | | 2 | -3.50 | -1.75 | -2.60 | 0.85 | -0.26 | Lotus Notes Release 6.5.3 September 14, 2004 | | 10 | -17.15 | -1.72 | -2.09 | 0.22 | -0.19 | ColdFusion MX Application Server | | 6 | -10.25 | -1.71 | -2.30 | 0.77 | -0.25 | Microsoft Exchange V6.5.6944.0 | | 1 | -1.67 | -1.67 | -1.67 | 0.00 | -0.17 | pyroclasticmailsplatterer 0.0.1| | 1 | -1.64 | -1.64 | -1.64 | 0.00 | -0.16 | AOL Email 22250 | | 1 | -1.64 | -1.64 | -1.64 | 0.00 | -0.16 | Microsoft MimeOLE V6.00.2800.1807 | | 1 | -1.62 | -1.62 | -1.62 | 0.00 | -0.16 | Lotus Notes 653HF860
Re: spamd vs. builtin SA (was Re: [Mimedefang] Patch: adding custom headers for SpamAssassin)
On Fri, Nov 24, 2006 at 01:00:54PM +0100, Steffen Kaiser wrote: I was just wondering, because you shell-out one program per scan now. I was hoping that there is another way to connect to spamd. Well, it's only a small C program, and it's likely in cache, not executed via the shell but directly, so the overhead is pretty minimal compared to the actual Mail::SpamAssassin scanning itself. That said, after a little looking around, there's both a libspamc.so available (without documentation?), and a protocol description in the SA distribution in spamd/PROTOCOL. So it should be possible to create a standalone perl version of spamc. However, I probably won't bother... unless we can show that the overhead is significant. Oh, I'm using IPC::Open2 to write to and read from spamc, and prevent tempfiles and executions via the shell. If you're interested, let me know. -- Jan-Pieter Cornet [EMAIL PROTECTED] !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skipping SA on TLSMTA connections?
Kees Theunissen wrote: [snip] There is a small problem with this approach - Bayes database do not learn phrases and words used in e-mail sent by your own users. Is that a problem if you don't scan these messages anyway? That's a bonus, if you ask me. If you post to a mailing list with a lot of traffic, like alsa-users for instance, someone could use the text of your own postings (if they wanted to work hard enough) to make the spam look more legitimate (or at the very least, they could do a Markovian chain analysis of the list to see what words in that corpus are specific to it. You could see people (harvesters) selling not only lists of addresses, but also magic pass phrases to lower the defenses of Bayesian filters. It's like the grifter trick of listening to two blokes in a bar talking about a third person, and then later approaching one of them at telling him you know Joe (or whomever) to get into his confidence.. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: spamd vs. builtin SA (was Re: [Mimedefang] Patch: adding custom headers for SpamAssassin)
On Fri, Nov 24, 2006 at 05:27:08PM +0100, Jan-Pieter Cornet wrote: That said, after a little looking around, there's both a libspamc.so available (without documentation?), and a protocol description in the SA distribution in spamd/PROTOCOL. So it should be possible to create a standalone perl version of spamc. However, I probably won't bother... unless we can show that the overhead is significant. There is a Mail::SpamAssassin::Client module that ships with SA, with such confidence-building things in its documentation as: NOTE: This interface is alpha at best, and almost guaranteed to change If anyone's inclined to speak to spamd directly from within their filter, it might be a good starting point, but be prepared to fix your code in future SpamAssassin releases. Cheers, Dave -- Dave O'Neill [EMAIL PROTECTED]Roaring Penguin Software Inc. +1 (613) 231-6599http://www.roaringpenguin.com/ For CanIt technical support, please mail: [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skipping SA on TLSMTA connections?
Steffen Kaiser wrote: Last time I tried, sentmail did not recognize a SSL connection, I had to use stunnel to wrap the connection. Insofar, it makes no sense. Well, I'm using it with T-bird and it works just fine. I'm using the: DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl on the server. What I haven't figured out is how to configure all of the workstations at the company to use 587 for submission to the mailhost, with certificates for authentication... but without running a listener (i.e. each of the workstations or servers runs logwatch nightly and submits daily reports, but doesn't ever accept incoming SMTP connections). Not positive that a queue runner is strictly necessary either, except in the case where mailhost is down for PM at the time that the reports are generated (otherwise, they'll simply be dropped). Tried running the internal workstations with submitting on port 25 to the mailhost instead, but it was running MdF on the logwatch reports... and they were being flagged as Spam. Sigh. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
On Fri, 24 Nov 2006, Paul Murphy wrote: while I'm updating my SA rules daily, I never seem able to keep ahead of I feel your pain. I have gotten to where I check my work email at night to see what the latest pump-and-dump stock spam is and update SA accordingly. Ugh. Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
-Original Message- From: Jim McCullars I feel your pain. I have gotten to where I check my work email at night to see what the latest pump-and-dump stock spam is and update SA accordingly. Ugh. I've found that most of the stock spam have a unique Received header. Some examples: Received: from 213.56.31.142 (HELO smtp.oleane.net) by elgin.edu with esmtp (30,,1N(4829S +/QM) id LLX8Z5-/084()-I* for [EMAIL PROTECTED]; Fri, 24 Nov 2006 10:31:31 -0060 Received: from 63.149.130.78 (HELO barracuda.1-stopnet.com) by elgin.edu with esmtp (A+*33AUUHE*U +K686) id 6OM2K4-172DAP-Q/ for [EMAIL PROTECTED]; Fri, 24 Nov 2006 10:43:06 -0480 Received: from 216.122.69.112 (HELO mail.safeserver.com) by elgin.edu with esmtp ((1+D(0E EU=Y) id 7045B0-4R:LJT-EB for [EMAIL PROTECTED]; Fri, 24 Nov 2006 10:48:01 -0120 Received: from 210.189.80.22 (HELO mail.01allweb.com) by elgin.edu with esmtp (LS,+-3(/ 5*XI:) id C?13,)-Q0:7(7-)D for [EMAIL PROTECTED]; Fri, 24 Nov 2006 11:08:20 -0480 Received: from 66.212.232.249 (HELO inon2.inetfast.com) by elgin.edu with esmtp (XB'52:=D0/ .B-W) id YO-;1*-=T8'7Y-O5 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 11:49:46 -0060 Received: from 209.142.136.249 (HELO mx2.centurytel.net) by elgin.edu with esmtp (T)08O7Q,AG+ 63'A) id 0Z((B*-760A8P-T. for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:38:42 -0060 Received: from 80.127.154.82 (HELO mail.walraven.com) by elgin.edu with esmtp (.5*V+;+3,RSN D511C) id ID95DH-6I9CU--65 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:42:20 -0060 Received: from 64.18.5.13 (HELO WAMSINC.COM.MAIL7.PSMTP.com) by elgin.edu with esmtp (,2-O)V7T9)? @C28) id 7;+LH;-FY(844-:7 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:44:18 -0060 Received: from 64.214.48.68 (HELO mdegw01.mgipharma.com) by elgin.edu with esmtp (942,L96+'P )J4J+,) id QMRGJ0-:PKD)6--L for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:49:20 -0060 Received: from 216.35.197.77 (HELO mail.zytronic.com) by elgin.edu with esmtp (IK-24*R3 U)4UJ) id /ST525-0PO+(5-V for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:49:22 -0060 Note the bare IP with no brackets (not the IP of the bot). HELO random hostname in parentheses. elgin.edu is my domain, but I do not have a host at the domain level that relays mail. Also note the UTC offset in the date format. That field should be HHMM. There are time zones that are not an even hour offset from UTC, but the only ones I know of are 30 minutes, and a value of 60 or more makes no sense. The Date headers also have the odd UTC offset. Date: Fri, 24 Nov 2006 10:31:31 -0060 Date: Fri, 24 Nov 2006 10:43:06 -0480 Date: Fri, 24 Nov 2006 10:48:01 -0120 Date: Fri, 24 Nov 2006 11:08:20 -0480 Date: Fri, 24 Nov 2006 11:49:46 -0060 Date: Fri, 24 Nov 2006 12:38:42 -0060 Date: Fri, 24 Nov 2006 12:42:20 -0060 Date: Fri, 24 Nov 2006 12:44:18 -0060 Date: Fri, 24 Nov 2006 12:49:20 -0060 Date: Fri, 24 Nov 2006 12:49:22 -0060 Two rules that have been doing extremely well for me are: header ECC_FORGED_ELGIN_RCVD Received =~ /by elgin.edu with esmtp \(.+\)\s+id\s\S+\s+for/ header ECC_ODD_TZ Date =~ /^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun| Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123 456789]\d$/ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang