Re: regular expression needed

Wed, 28 Sep 2016 06:26:29 -0700 

On 9/28/2016 9:02 AM, Nicola Piazzi wrote:



Usually we receive spam having subjects like these examples in order 
of time :


Subject From                                                    To


FedEx Shipment 702193383647 Notification                 
j...@company1.com s...@mycompany.it



FedEx Shipment 722566383641 Notification                 
a...@other.com a...@mycompany.it



FedEx Shipment 734563383644 Notification                 
i...@company1.com lo...@mycompany.it


A package for you jim                 b...@cocacola.com j...@mycompany.it

A package for you sue                 j...@buster.com s...@mycompany.it


These come from viruses that infect different pcs in the word that 
send same spam



I want to write a plugin that test each email giving penality to these 
mails


Detection routine

A mail arrive

Subject is : FedEx Shipment 702193383647 Notification


I search in maillog table for a regex that MATCH FedEx Shipment 
702193383647 Notification ALSO IN FedEx Shipment 722566383641 
Notification AND IN FedEx Shipment 734563383644 Notification


If it match I verify that FROM DOMAIN IS DIFFERENT
And then I verify that TO ADDRESS IS DIFFERENT


Now I need a regex sintax to put all extracted words of PHRASE FedEx 
Shipment 734563383644 Notification and match if it found at least 3 of 
4 words


Someone can help ?




I don't follow exactly what you are trying to do in the description 
above, but for that problem, I would start with something like this:


header  __FEDEX_ADDR From:addr /\@fedex\.com/
header __FEDEX_SUBJ Subject /FedEx Shipment/
meta FEDEX_SPAM  __FEDEX_SUBJ && ! __FEDEX_ADDR
score FEDEX_SPAM 2.0

(Off the top of my head and completely untested.  Adjust score as required.)


This will hit any email with "FedEx Shipment" in the subject that 
doesn't come from fedex.com.  Note that it will also hit on any 
legitimate FedEx emails that have been forwarded.  You could minimize 
this by constraining the subject match to be at the beginning of the 
line (/^Fedex Shipment/).  This may or may not have an effect on spam 
detection.  You could also do a test for non-FedEx urls in the body 
rather than looking at the sender.



You could use a simple subject line test for the "A package for you" 
emails, unless you know of a valid delivery service that uses that phrase.


--
Bowie






















					Reply via email to