On Fri, 25 Nov 2011, Kevin A. McGrail wrote:
On 11/25/2011 11:06 AM, Kevin A. McGrail wrote:
On 11/25/2011 12:23 AM, Alex wrote:
> Some time ago we created the following rule on this list to identify
> mail with less than 200 characters in the body:
>
> rawbody __KB_RAWBODY_200 /^.{0,200}$/s
>
> I'm finding that it's hitting on mail that is much larger than 200
> characters and I don't understand why.
I see the same issue on trunk and 3.3.2. Playing with code now since I
see this type of crap spam a lot as well.
It was a brilliantly simple idea but this concept won't work if I am looking
at things correctly. The loop for the pattern test appears to test line by
line. So if a single line is less than 200 chars, you are hitting the rule.
Yup.
Putting something like this in your testbed ruleset makes it obvious when
you run in rule debug mode:
rawbody ALL_RAWBODY /.+/
tflags ALL_RAWBODY multiple
Perhaps this:
rawbody __RB_CHAR /./
tflags __RB_CHAR multiple maxhits=201
meta __BODY_LE_200 __RB_CHAR <= 200
The maxhits= limits the inherent inelegance of this rule.
This is probably better, though:
rawbody __RB_LE_200 /^.{,200}$/s
tflags __RB_LE_200 multiple maxhits=2
rawbody __RB_GT_200 /^.{201}/s
meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
If there's only one short line in the body, and no long lines, the entire
body is short.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
30 days until Christmas
