Re: problem with split line URL's
martin smith wrote: > I had a rule I was working on, it works on the example u pasted, be > interested if this works, if not if you could send me a sample to > work on. > Use at your own risk has I havent checked it that well for FP's Martin, I checked your rule for FPs for you, the results are: URL_A = full URL_B = rawbody OVERALL% SPAM% HAM% S/ORANK SCORE NAME 5106 917 41890.180 0.00 0.00 (all messages) 11 1101.000 1.00 1.00 MS_Broken_URL_A 0000.500 0.00 1.00 MS_Broken_URL_B That's 11 spam hits and 0 ham hits, so the FULL version did better in my e-mail corpus.
Re: problem with split line URL's
Martin yup - that works. I'll up the score and hopefully I'd be able to trap the things more realiably now.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 martin smith wrote: -Original Message- M>From: Martin Hepworth M>Sent: 31 May 2005 17:45 M>To: Robert Menschel M>Cc: SpamAssassin Users M>Subject: Re: problem with split line URL's M> M>Robert M> M>just got one in - no matches... M> M>If anyone wants an example let me know.. M> M>-- M>Martin Hepworth Ok just got a spam and that didn't fire so, did a quick revision, changed body to full. full MS_Broken_URL /\b(?!http)h\s?t\s?t\s?p\s?/i score MS_Broken_URL 1 describe MS_Broken_URL URL split between lines ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: problem with split line URL's
Martin Ta - I'll try that. I've submitted the full example for Loren and Bob to try their spam-jitsu on so we'll see how both ways go. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 martin smith wrote: -Original Message- M>From: Martin Hepworth M>Sent: 31 May 2005 17:45 M>To: Robert Menschel M>Cc: SpamAssassin Users M>Subject: Re: problem with split line URL's M> M>Robert M> M>just got one in - no matches... M> M>If anyone wants an example let me know.. M> M>-- M>Martin Hepworth Ok just got a spam and that didn't fire so, did a quick revision, changed body to full. full MS_Broken_URL /\b(?!http)h\s?t\s?t\s?p\s?/i score MS_Broken_URL 1 describe MS_Broken_URL URL split between lines ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
RE: problem with split line URL's
-Original Message- M>From: Martin Hepworth M>Sent: 31 May 2005 17:45 M>To: Robert Menschel M>Cc: SpamAssassin Users M>Subject: Re: problem with split line URL's M> M>Robert M> M>just got one in - no matches... M> M>If anyone wants an example let me know.. M> M>-- M>Martin Hepworth Ok just got a spam and that didn't fire so, did a quick revision, changed body to full. full MS_Broken_URL /\b(?!http)h\s?t\s?t\s?p\s?/i score MS_Broken_URL 1 describe MS_Broken_URL URL split between lines
RE: problem with split line URL's
M>-Original Message- M>From: Martin Hepworth [mailto:[EMAIL PROTECTED] M>Sent: 31 May 2005 17:45 M>To: Robert Menschel M>Cc: SpamAssassin Users M>Subject: Re: problem with split line URL's M> M>Robert M> M>just got one in - no matches... M> M>If anyone wants an example let me know.. M> M>-- M>Martin Hepworth I had a rule I was working on, it works on the example u pasted, be interested if this works, if not if you could send me a sample to work on. body MS_Broken_URL /\b(?!http)h\s?t\s?t\s?p\s?/i score MS_Broken_URL 1 describe MS_Broken_URL URL split between lines Use at your own risk has I havent checked it that well for FP's Martin
Re: problem with split line URL's
Robert just got one in - no matches... If anyone wants an example let me know.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Robert Menschel wrote: Hello Martin, Friday, May 27, 2005, 3:52:25 AM, you wrote: MH> Hi MH> I've been attempting to get the split line URL rule working - this one.. I believe the working rule that matches all active spam using this trick is now active in 70_sare_obfu.cf Bob Menschel ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: problem with split line URL's
is over 22 chars
warning: rule 'LOCAL_OBFU_ACYCLOVIR_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_PHENDIMETRAZINE' is over 22 chars
warning: rule 'LOCAL_OBFU_FIORICET_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_GENERIC_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_BONTRILE_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_MOUTHCHOKING_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_CARISOPRODOL' is over 22 chars
warning: rule 'LOCAL_OBFU_LEVITRA_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_VOLLGESPRITZT_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_FLEXTRA_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_REDUCTIL_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_SARAFEM_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_VALTREX_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_ESTRADIOL_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_SHEMALE_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_FLUOXETINE_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_TADALAFIL_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_WELLBUTRINE_SUBJ' is over 22 chars
{^_^}
- Original Message -
From: "jdow" <[EMAIL PROTECTED]>
To:
Sent: 2005 May, 31, Tuesday 02:45
Subject: Re: problem with split line URL's
Oops - spamassassin --lint barfed all over these new rules. Most of
their names were over the character count limit.
{^_^}
- Original Message -
From: "Martin Hepworth" <[EMAIL PROTECTED]>
Cc: "SpamAssassin Users"
Sent: 2005 May, 31, Tuesday 02:35
Subject: Re: problem with split line URL's
Bob
Ta - I've upgraded the rules and we'll see how we get on..
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Robert Menschel wrote:
Hello Martin,
Friday, May 27, 2005, 3:52:25 AM, you wrote:
MH> Hi
MH> I've been attempting to get the split line URL rule working - this
one..
I believe the working rule that matches all active spam using this
trick is now active in 70_sare_obfu.cf
Bob Menschel
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**
Re: problem with split line URL's
works for me fine..
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
jdow wrote:
Oops - spamassassin --lint barfed all over these new rules. Most of
their names were over the character count limit.
{^_^}
- Original Message -
From: "Martin Hepworth" <[EMAIL PROTECTED]>
Cc: "SpamAssassin Users"
Sent: 2005 May, 31, Tuesday 02:35
Subject: Re: problem with split line URL's
Bob
Ta - I've upgraded the rules and we'll see how we get on..
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Robert Menschel wrote:
Hello Martin,
Friday, May 27, 2005, 3:52:25 AM, you wrote:
MH> Hi
MH> I've been attempting to get the split line URL rule working - this
one..
I believe the working rule that matches all active spam using this
trick is now active in 70_sare_obfu.cf
Bob Menschel
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**
Re: problem with split line URL's
Seems to be the 99_OBFU_drugs.cf file.
{^_^}
- Original Message -
From: "jdow" <[EMAIL PROTECTED]>
To:
Sent: 2005 May, 31, Tuesday 02:45
Subject: Re: problem with split line URL's
> Oops - spamassassin --lint barfed all over these new rules. Most of
> their names were over the character count limit.
> {^_^}
> - Original Message -
> From: "Martin Hepworth" <[EMAIL PROTECTED]>
> Cc: "SpamAssassin Users"
> Sent: 2005 May, 31, Tuesday 02:35
> Subject: Re: problem with split line URL's
>
>
> > Bob
> >
> > Ta - I've upgraded the rules and we'll see how we get on..
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> >
> > Robert Menschel wrote:
> > > Hello Martin,
> > >
> > > Friday, May 27, 2005, 3:52:25 AM, you wrote:
> > >
> > > MH> Hi
> > >
> > > MH> I've been attempting to get the split line URL rule working - this
> one..
> > >
> > > I believe the working rule that matches all active spam using this
> > > trick is now active in 70_sare_obfu.cf
> > >
> > > Bob Menschel
> > >
> > >
> > >
> >
> > **
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> >
> > **
>
Re: problem with split line URL's
CET_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_GENERIC_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_BONTRILE_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_MOUTHCHOKING_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_CARISOPRODOL' is over 22 chars
warning: rule 'LOCAL_OBFU_LEVITRA_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_VOLLGESPRITZT_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_FLEXTRA_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_REDUCTIL_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_SARAFEM_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_VALTREX_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_ESTRADIOL_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_SHEMALE_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_FLUOXETINE_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_TADALAFIL_SUBJ' is over 22 chars
warning: rule 'LOCAL_OBFU_WELLBUTRINE_SUBJ' is over 22 chars
{^_^}
- Original Message -
From: "jdow" <[EMAIL PROTECTED]>
To:
Sent: 2005 May, 31, Tuesday 02:45
Subject: Re: problem with split line URL's
> Oops - spamassassin --lint barfed all over these new rules. Most of
> their names were over the character count limit.
> {^_^}
> - Original Message -
> From: "Martin Hepworth" <[EMAIL PROTECTED]>
> Cc: "SpamAssassin Users"
> Sent: 2005 May, 31, Tuesday 02:35
> Subject: Re: problem with split line URL's
>
>
> > Bob
> >
> > Ta - I've upgraded the rules and we'll see how we get on..
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> >
> > Robert Menschel wrote:
> > > Hello Martin,
> > >
> > > Friday, May 27, 2005, 3:52:25 AM, you wrote:
> > >
> > > MH> Hi
> > >
> > > MH> I've been attempting to get the split line URL rule working - this
> one..
> > >
> > > I believe the working rule that matches all active spam using this
> > > trick is now active in 70_sare_obfu.cf
> > >
> > > Bob Menschel
> > >
> > >
> > >
> >
> > **
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> >
> > **
>
Re: problem with split line URL's
Oops - spamassassin --lint barfed all over these new rules. Most of
their names were over the character count limit.
{^_^}
- Original Message -
From: "Martin Hepworth" <[EMAIL PROTECTED]>
Cc: "SpamAssassin Users"
Sent: 2005 May, 31, Tuesday 02:35
Subject: Re: problem with split line URL's
> Bob
>
> Ta - I've upgraded the rules and we'll see how we get on..
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> Robert Menschel wrote:
> > Hello Martin,
> >
> > Friday, May 27, 2005, 3:52:25 AM, you wrote:
> >
> > MH> Hi
> >
> > MH> I've been attempting to get the split line URL rule working - this
one..
> >
> > I believe the working rule that matches all active spam using this
> > trick is now active in 70_sare_obfu.cf
> >
> > Bob Menschel
> >
> >
> >
>
> **
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **
Re: problem with split line URL's
Bob Ta - I've upgraded the rules and we'll see how we get on.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Robert Menschel wrote: Hello Martin, Friday, May 27, 2005, 3:52:25 AM, you wrote: MH> Hi MH> I've been attempting to get the split line URL rule working - this one.. I believe the working rule that matches all active spam using this trick is now active in 70_sare_obfu.cf Bob Menschel ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: problem with split line URL's
Hello Martin, Friday, May 27, 2005, 3:52:25 AM, you wrote: MH> Hi MH> I've been attempting to get the split line URL rule working - this one.. I believe the working rule that matches all active spam using this trick is now active in 70_sare_obfu.cf Bob Menschel
Re: problem with split line URL's
Loren Wilton wrote: Which dont seem to trigger the above rule. Any ideas? Not really. That's my rule and it works fine here, and many other places. However, you aren't the first to say it doesn't work for them. I'm guessing you are using something other than procmail/spamd to process mail, or maybe you are running on a windows/mac box? My guess is that something is taking the bare cr characters and helpfully either changing them to actual newlines or sticking newlines before or after them. Since I specifically check for a bare \r character rather than \r\n, if something is decorating the \r characters the rule won't fire. Just for grins try changing the rule to something like this and see if it works, and let us know: rawbody __LW_URI_CR1 /href=\"[^"]*\r\n?/is full __LW_URI_CR2 /href=\"[^"]*\r\n?/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri Loren Loren yup I'm using MailScanner to drive SA. I'll try your alternative and see how we get on... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: problem with split line URL's
Loren ok I've added the alternative in with a slightly different name so I've got both in the setup. I note that if I run spamassassin -D < test.eml on an example the rules don't fire either, so I don't think its MailScanner getting in the way. Running SA 3.0.3 (from CPAN) with perl 5.8.5 (from the FreeBSD ports tree) running on FreeBSD 4.10 if thats of any use. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Loren Wilton wrote: Which dont seem to trigger the above rule. Any ideas? Not really. That's my rule and it works fine here, and many other places. However, you aren't the first to say it doesn't work for them. I'm guessing you are using something other than procmail/spamd to process mail, or maybe you are running on a windows/mac box? My guess is that something is taking the bare cr characters and helpfully either changing them to actual newlines or sticking newlines before or after them. Since I specifically check for a bare \r character rather than \r\n, if something is decorating the \r characters the rule won't fire. Just for grins try changing the rule to something like this and see if it works, and let us know: rawbody __LW_URI_CR1 /href=\"[^"]*\r\n?/is full __LW_URI_CR2 /href=\"[^"]*\r\n?/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri Loren ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: problem with split line URL's
> Which dont seem to trigger the above rule. Any ideas? Not really. That's my rule and it works fine here, and many other places. However, you aren't the first to say it doesn't work for them. I'm guessing you are using something other than procmail/spamd to process mail, or maybe you are running on a windows/mac box? My guess is that something is taking the bare cr characters and helpfully either changing them to actual newlines or sticking newlines before or after them. Since I specifically check for a bare \r character rather than \r\n, if something is decorating the \r characters the rule won't fire. Just for grins try changing the rule to something like this and see if it works, and let us know: rawbody __LW_URI_CR1 /href=\"[^"]*\r\n?/is full __LW_URI_CR2 /href=\"[^"]*\r\n?/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri Loren
