On 17 Nov, Professional Software Engineering wrote:
| At 23:56 2001-11-17 -0500, Louis LeBlanc wrote:
|
| >Here is the recipe that caused the false positive:
| >#####################################
| >:0DBHfhw
| >* ^Subject:.*SEX|FREE SEX|LESBIANS| XXX |HARDCORE|GAY
|
| I would suggest that when you OR conditions, you properly enclose them in
| parenthesis. This one especially, since you have it flagged to check the
| body as well (why???).
|
| * ^Subject:.*(SEX|FREE SEX|LESBIANS| XXX |HARDCORE|GAY)
|
| [...]
|
| BTW - I expect that your own message (received back from the list) will
| have tripped your rule. So too, will this one.
|
| >Content-type: multipart/signed; protocol="application/x-pkcs7-signature";
| > micalg=sha1; boundary="------------ms050202050905060702080900"
|
| Your multipart bouncaries are not included in the message you
| forwarded. My guess is that the match occurred there.
|
Sean is exactly right and this is just to confirm there are two matches
in the attached signature, which did come through my client software
correctly:
AgMBAAGjTjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzAS
^^^
MjAwMC44LjMwAgMGHS4wCQYFKw4DAhoFAKCCAWEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH
^^^
Besides Sean's advice to properly add parentheses, and echoing his
wonderment that the body is included in this particular recipe, if
you're searching message bodies I'd suggest using word boundaries.
Something like "\<(word1|word2)\>" should reduce false positives. I
doubt it'll eliminate them, and it might also increase false negatives,
but you probably have to pay one of those prices to body search
messages with encoded attachments, signatures, etc.
--
Reply to list please, or append "6" to "procmail" in address if you must.
Spammers' unrelenting address harvesting forces me to this...reluctantly.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail