checking a regex rule

General discussion about PopTray. You love it? You hate it? Talk about it here.

Moderators: KY Dave, jojobear99, Rdsok

Post Reply
pviton
Enthusiast
Posts: 47
Joined: Tue Aug 12, 2003 8:52 pm

checking a regex rule

Post by pviton » Mon Sep 26, 2005 5:48 pm

Can someone help me on this one? I'm trying to set up a rule which looks in a header field called X-Spam-Score for more than three parenthesized asterisks.

1. Am I correct that we can't refer explicitly to the text of a specific header field? That is, any expression that I write should NOT contain "X-Spam-Score"?

2. Assuming that this is correct, I have a regex rule which states

Area=Header
Func=Reg Expr
Text=\(\*{3,}\)
Not=0
Wav=
Delete=0
Ignore=0
EXE=
Important=0
Spam=0
Protect=0
Log=1


I'm testing this on a message which has as part of the header

X-Spam-Score: 22.40 (********************) [Tag at 5.00]

which should fire that rule, right? But nothing at all is written into the log file. Can anyone see what I'm doing wrong here?

User avatar
Rdsok
PopTray Family
Posts: 1460
Joined: Fri Mar 19, 2004 11:36 pm
Location: Norman, Oklahoma USA
Contact:

Post by Rdsok » Mon Sep 26, 2005 6:25 pm

I think you will find that the post from KY Dave here viewtopic.php?t=2704&highlight= should give you some ideas on creating your rule. While his checks using the subject line, yours could easily use the header to get what I think you want.

He actually covered more than what you are asking about, but it should still help.

Oh... and do not miss this good info about writing Regular Expressions... don't miss vitoco's post here viewtopic.php?t=1626

User avatar
KY Dave
Not the Developer
Posts: 1599
Joined: Thu Mar 14, 2002 7:29 pm
Location: Burkesville, KY. U.S.A.
Contact:

Re: checking a regex rule

Post by KY Dave » Mon Sep 26, 2005 8:41 pm

pviton wrote:Can someone help me on this one? I'm trying to set up a rule which looks in a header field called X-Spam-Score for more than three parenthesized asterisks.
KY Dave wrote: In your case, I suggest the following WILDCARD setup, It would look in the HEADER to find your spam marker (X-Spam-Score) and then look for the percentage. If below 86% the rules only MARK AS SPAM, 86% and above, the rules will DELETE it.

Your first rule MARKS AS SPAM any email with the percentage of 50.0% - 85.9%.

Code: Select all

MARK AS SPAM RULE

HEADER, WILDCARD, *X-HE-Spam-Score 5?.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*6?.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*7?.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*80.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*81.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*82.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*83.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*84.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*85.?*

IGNORE DON'T NOTIFY, MARK AS SPAM, ANY LINE
Your second rule DELETES any SPAM email with the percentage of 86.0% - 99.9%.

Code: Select all

DELETE SPAM RULE

ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*86.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*87.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*88.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*89.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*9?.?*

DELETE, ANY LINE
This example has the breaking point at 85.9% for MARK AS SPAM and 86.0% and above is DELETED. Email below the 50% threshold is not flagged.

Following this example, it would be easy for you to set the percentage at the point you would like to use.

If you need more help, include in your post a small snippet of your header showing the exact phrase you're wanting to find and the per centage.
Don't include personal info.
I know you didn't ask for a RULE using WILDCARDS, but I don't know anything about REG EXPR. :)

If you are only interested in REG EXPR then check the thread linked below...

viewtopic.php?t=1831
KY Dave

Family Blog
You can STOP SPAM using PopFile and PopTray.

User avatar
lemming
Groupie
Posts: 55
Joined: Sun Jan 09, 2005 3:51 am
Location: Malaysia

Re: checking a regex rule

Post by lemming » Tue Sep 27, 2005 6:09 am

Your regex appears to be correct. It could that there is no log entry simply because you did not have it marked as spam or deleted. I'd recommend mark as spam first for testing.

In addition, you could also read the spam score with a regex instead of counting the asterisks. I had previously written about a similar regex at
viewtopic.php?t=1552&start=60
(Just scroll down to the last posting with the subject: reading spam percentages from K9)

In your case, assuming you wanted you flag any score more than 5.00, the regex would be:

X-Spam-Score: ([56789]\.|\d\d\.\d\d)

Periods are special characters in regex, so that's why they are prefixed with a backslash. The pipe symbol | means "or", while the \d part just means "any digit".

Now this is also assuming your spam scores do not use padded zeroes, i.e. it must be 5.13 instead of 05.13 ; if there are padded zeroes, the \d\d\.\d\d section will not work properly.


-Lemming 8)
pviton wrote:Can someone help me on this one? I'm trying to set up a rule which looks in a header field called X-Spam-Score for more than three parenthesized asterisks.
....
2. Assuming that this is correct, I have a regex rule which states

Area=Header
Func=Reg Expr
Text=\(\*{3,}\)
Not=0
Wav=
Delete=0
Ignore=0
EXE=
Important=0
Spam=0
Protect=0
Log=1

I'm testing this on a message which has as part of the header

X-Spam-Score: 22.40 (********************) [Tag at 5.00]

which should fire that rule, right? But nothing at all is written into the log file. Can anyone see what I'm doing wrong here?

pviton
Enthusiast
Posts: 47
Joined: Tue Aug 12, 2003 8:52 pm

Post by pviton » Tue Sep 27, 2005 3:53 pm

lemming:
"Your regex appears to be correct. It could that there is no log entry simply because you did not have it marked as spam or deleted. I'd recommend mark as spam first for testing. "


Yes that's it, thanks! I hadn't realized that you couldn't generate an entry in the log file JUST by telling it to "Log Rule" - that you needed to provide some "real" action as well. With that done, everything works as it should.

Post Reply

Who is online

Users browsing this forum: No registered users and 14 guests