procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: restricted form

2003-01-30 22:49:31
from [Professional Software Engineering] [Permanent Link] 
At 23:06 2003-01-30 -0500, fleet(_at_)teachout(_dot_)org wrote:
So far I've only seen it used where ID is capatalized (for whatever that's worth).
Well, you could set the case-sensitivity flag for the recipe (then, make sure the character classes are defined as [a-zA-Z]).
Running the following grep against over a thousand known spam messages and over several 
thousand personal messages resulted in hits ONLY on spam messages.

[~/]$ grep "[0-9][0-9][0-9][0-9][0-9][0-9]\
[a-z][0-9][a-z][a-z][0-9][0-9]\$\
[a-z][a-z][a-z][0-9][0-9][0-9][0-9][0-9]\$\
[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" *
This gets kind of lengthy as a procmail recipe - is there a way to say something like 
[0-9]x5 etc.?  (where x="times")


Using grep?  Sure, see the manpages for it (search for "repetition" operator):

[0-9]{5}
Using procmail? Not in the same fashion, because it doesn't support all the extended regexps (or the POSIX-style character class definitions, which would be nice). But, you can use macros if you have a limited number of variations to deal with: 

DIGITS=[0-9]
DIGITSX2=${DIGITS}${DIGITS}
DIGITSX3=${DIGITSX2}${DIGITS}
DIGITSX4=${DIGITSX2}${DIGITSX2}
DIGITSX5=${DIGITSX3}${DIGITSX2}
DIGITSX6=${DIGITSX2}${DIGITSX2}${DIGITSX2}
(etc)

:0:
* $ ^Message-ID:[       ]*<${DIGITSX6}[a-z]${DIGITS}[a-z][a-z]${DIGITSX2}\
        [\$][a-z][a-z][a-z]${DIGITSX5}[\$]${DIGITSX6}${DIGITSX2}@
spew.mbx
That last bit with two consecutive digit expressions is because I didn't want to continue the above macros to term, and it also demonstrates that you can stick two similar macros next to each other - they simply expand.
The spam messages tested against were collected over the past 15 days and there are about 40 
hits on this form.  Is it possible this is the work of one individual?
Possibly. More likely is that all the spew was simply sent using the same tool.
I ran it against all my extracted spam from the past 30 days (721 messages, FWIW), and it only caught one of the messages in the archive, but yea, it did follow the 7.3 extension as well. However, having said that, I _didn't_ run it against the rest of my mail to see about false positives. 

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  restricted form, fleet
Next by Date:  Re: restricted form, dman
Previous by Thread:  restricted form, fleet
Next by Thread:  Re: restricted form, fleet
Indexes:  [Date] [Thread] [Top] [All Lists]