procmail
[Top] [All Lists]

Re: From addy that starts with an underscore filter problem

2001-11-30 08:34:59
A couple of false positives too:

From: Gamespot Weekly Specials <3(_dot_)295(_dot_)a0-_-iq__5qNNjgw9RR(_dot_)1(_at_)newsletter(_dot_)online(_dot_)com> From: Account Link FYIs & Deals<Account_Link_FYIs_&_Deals_Customer_Service(_at_)pnc(_dot_)com>

ridiculous emails I know but still false positive.

Eric

At 10:25 AM 11/30/2001 -0500, Eric Krichbaum wrote:
I stuck this one in and it's not catching them all.  Specifically, it missed:

From: "david basagic" <_dbasagic(_at_)mountain(_dot_)net>
From: "Don Land" <_dwl(_at_)access(_dot_)mountain(_dot_)net>

but I'm not seeing why? They both include the <_yadda@ pattern.

Any help, please?

Eric


At 10:04 PM 11/29/2001 -0600, David W. Tamkin wrote:
linux(_at_)usermail(_dot_)com asked,

| I was to block all mail with the From field that starts
| with a _.  This is so I can capture BadTrans without looking through
| the body.  I saw this somewhere:
|
| # Stupid BadTrans virus
| :0:
| * ^From: .  \<_.*\>$
| /var/log/Badtrans
|
| :0:
| * ^From: _.  \(. \)$
| /var/log/Badtrans
|
| I placed this in /etc/procmailrc and tested but it still is not
| capturing.  Can I get some input?

They're both flawed.  The first requires that there be a space after the
colon, followed by one non-word character, and then the underscore; the rest
of the line can hold anything but it must end in another non-word character.
The second demands the underscore next to the colon, one character that
could be anything, a space, a literal left parenthesis, one more character
that could be anything, another space, and a literal right parenthesis that
ends the line there.

I think that what we have there was written by someone who (a) doesn't
understand the difference between "." and ".*" in regexps, (b) thinks that
all From: lines will always be of the form

 From:address (name)
or
 From: name <address>

without being aware of

 From: address
nor
 From: <address>

(c) believes that angle brackets are magic if unescaped and need to be
escaped to be taken literally, and (d) doesn't grasp ORing with the pipe
symbol [not that (c) or (d) would matter if it weren't for misconception
(b)].

Try something like this:

 :0: # the brackets enclose caret, space, tab
 * ^From:(.*\<)?_[^     ]*@
 /var/log/Badtrans

It's not perfect, but after all that's one of the reasons you're spooling
matching messages off to another folder instead of cockily deleting them.



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

Eric Krichbaum, MCSE NT4, MCSE Windows 2000, ASE, CCNA, CNA, A+, Net+, iNet+, CIW
For tech support contact 877-877-1136 x 4


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

Eric Krichbaum, MCSE NT4, MCSE Windows 2000, ASE, CCNA, CNA, A+, Net+, iNet+, CIW
For tech support contact 877-877-1136 x 4


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail