Page 1 of 1

checking a regex rule

Posted: Mon Sep 26, 2005 5:48 pm
by pviton
Can someone help me on this one? I'm trying to set up a rule which looks in a header field called X-Spam-Score for more than three parenthesized asterisks.

1. Am I correct that we can't refer explicitly to the text of a specific header field? That is, any expression that I write should NOT contain "X-Spam-Score"?

2. Assuming that this is correct, I have a regex rule which states

Area=Header
Func=Reg Expr
Text=\(\*{3,}\)
Not=0
Wav=
Delete=0
Ignore=0
EXE=
Important=0
Spam=0
Protect=0
Log=1


I'm testing this on a message which has as part of the header

X-Spam-Score: 22.40 (********************) [Tag at 5.00]

which should fire that rule, right? But nothing at all is written into the log file. Can anyone see what I'm doing wrong here?

Posted: Mon Sep 26, 2005 6:25 pm
by Rdsok
I think you will find that the post from KY Dave here viewtopic.php?t=2704&highlight= should give you some ideas on creating your rule. While his checks using the subject line, yours could easily use the header to get what I think you want.

He actually covered more than what you are asking about, but it should still help.

Oh... and do not miss this good info about writing Regular Expressions... don't miss vitoco's post here viewtopic.php?t=1626

Re: checking a regex rule

Posted: Mon Sep 26, 2005 8:41 pm
by KY Dave
pviton wrote:Can someone help me on this one? I'm trying to set up a rule which looks in a header field called X-Spam-Score for more than three parenthesized asterisks.
KY Dave wrote: In your case, I suggest the following WILDCARD setup, It would look in the HEADER to find your spam marker (X-Spam-Score) and then look for the percentage. If below 86% the rules only MARK AS SPAM, 86% and above, the rules will DELETE it.

Your first rule MARKS AS SPAM any email with the percentage of 50.0% - 85.9%.

Code: Select all

MARK AS SPAM RULE

HEADER, WILDCARD, *X-HE-Spam-Score 5?.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*6?.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*7?.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*80.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*81.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*82.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*83.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*84.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*85.?*

IGNORE DON'T NOTIFY, MARK AS SPAM, ANY LINE
Your second rule DELETES any SPAM email with the percentage of 86.0% - 99.9%.

Code: Select all

DELETE SPAM RULE

ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*86.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*87.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*88.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*89.?*
ADD LINE ->  HEADER, WILDCARD, *X-Spam-Score*9?.?*

DELETE, ANY LINE
This example has the breaking point at 85.9% for MARK AS SPAM and 86.0% and above is DELETED. Email below the 50% threshold is not flagged.

Following this example, it would be easy for you to set the percentage at the point you would like to use.

If you need more help, include in your post a small snippet of your header showing the exact phrase you're wanting to find and the per centage.
Don't include personal info.
I know you didn't ask for a RULE using WILDCARDS, but I don't know anything about REG EXPR. :)

If you are only interested in REG EXPR then check the thread linked below...

viewtopic.php?t=1831

Re: checking a regex rule

Posted: Tue Sep 27, 2005 6:09 am
by lemming
Your regex appears to be correct. It could that there is no log entry simply because you did not have it marked as spam or deleted. I'd recommend mark as spam first for testing.

In addition, you could also read the spam score with a regex instead of counting the asterisks. I had previously written about a similar regex at
viewtopic.php?t=1552&start=60
(Just scroll down to the last posting with the subject: reading spam percentages from K9)

In your case, assuming you wanted you flag any score more than 5.00, the regex would be:

X-Spam-Score: ([56789]\.|\d\d\.\d\d)

Periods are special characters in regex, so that's why they are prefixed with a backslash. The pipe symbol | means "or", while the \d part just means "any digit".

Now this is also assuming your spam scores do not use padded zeroes, i.e. it must be 5.13 instead of 05.13 ; if there are padded zeroes, the \d\d\.\d\d section will not work properly.


-Lemming 8)
pviton wrote:Can someone help me on this one? I'm trying to set up a rule which looks in a header field called X-Spam-Score for more than three parenthesized asterisks.
....
2. Assuming that this is correct, I have a regex rule which states

Area=Header
Func=Reg Expr
Text=\(\*{3,}\)
Not=0
Wav=
Delete=0
Ignore=0
EXE=
Important=0
Spam=0
Protect=0
Log=1

I'm testing this on a message which has as part of the header

X-Spam-Score: 22.40 (********************) [Tag at 5.00]

which should fire that rule, right? But nothing at all is written into the log file. Can anyone see what I'm doing wrong here?

Posted: Tue Sep 27, 2005 3:53 pm
by pviton
lemming:
"Your regex appears to be correct. It could that there is no log entry simply because you did not have it marked as spam or deleted. I'd recommend mark as spam first for testing. "


Yes that's it, thanks! I hadn't realized that you couldn't generate an entry in the log file JUST by telling it to "Log Rule" - that you needed to provide some "real" action as well. With that done, everything works as it should.