Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - RegEx for Dan
  FAQ FAQ  Forum Search   Register Register  Login Login

RegEx for Dan

 Post Reply Post Reply
Author
john1 View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote john1 Quote  Post ReplyReply Direct Link To This Post Topic: RegEx for Dan
    Posted: 16 July 2003 at 2:50pm

Dan,

We have been trying your RegEx for keywords (even though you cautioned against it). Seems to help nicely. If you are interested in any spam that slips through, is there some way to comunicate with you so we can try to add these additional bad guys to the RegEx list of keywords?

John

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2003 at 5:05pm

I am trying to create a way to work, collectivly, on RegEx's without publicly posting my address.  I also feel that if we come up with anything "super inovative", the rest of the users should benifit ... fighting Spam should not be some sort of "gaurded secret" which is why I have posted what I have worked on so far.

At the moment, I am in the process of preparing to upgrade our Border Router and have a deadline of Friday at 8:00PM so I doubt I will come up with anything prior to that.  If you have any thoughts, please let me know.

Dan S.

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2003 at 5:11pm

BTW ... Which "version" of my filter lists are you trying out?  And are you using the "fromEmail" list?   Are you attempting to check for false positives?

Dan S.

Back to Top
John1 View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote John1 Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2003 at 12:18pm

Dan,

Here is the list we are trying.

We check the quaranteen log for false positives (sometimes).

BTW, can you offer some explaination of the 1st RexEx expression?  (Just got Mastering Regular Expressions Book yesterday. Very good book!)

========================================

(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])

(href=" <http://+[\d></">http://+>[\d])

( <http://.{0,10}%[\d></">http://.{0,10}>%[\d])

(<[!--]+[a-zA-Z0-9]{2}(-->))

((<font color="#ffffff">.*){3,8})

((\|.*){11,})

(content\-type:\x20text/html\r\ncontent-transfer\-encoding:\x20base64\r\n)

( <http://www..*.(com|net|org)@www></">http://www..>*.(com|net|org)@www)

((limited time (special|offer)))

pro2ware.biz

text-decoration: blink

98207.biz

herbalpillsonline

pillsavings

red.ecablenetwork.com

horfinc.com

click here to start

thousands of other email providers

gsc-100

img src=3D"</">http://>

is a one time mailing

your privacy is extremely important to us

one of our member sites

 

John

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2003 at 3:34pm

Here is from my previous post:

(<[!--]+[\x20]{0,1}[a-zA-Z0-9]{10,}[\x20]{0,1}[!--])
  • <                    look for an open tag start character, immediately followed by...
  •  [!--]+            looks for 1 or more  !-- characters indicating an html comment, immediately followed by...
  • [\x20]{0,1}    looks for 0 or 1 space (hex 20) followed by ....
  • [a-zA-Z0-9]{10,} 10 or more alphanumeric characters   (*** see note below)
  • [\x20]{0,1}    looks for 0 or 1 space (hex 20) followed by ....
  • [!--]               Any one of these characters should indicate that the tag is being closed
***  The original reason for 11  (now 10) was because <blockquote> is a 10 char tag that is valid but I ran 400 messages through with that tag and got no blocks because I have yet to see one that has !-- in it.
 
I tested it with <!--IncrdiXMLRemarkStart> and it doesn't block it HOWEVER,  I do see what seem to be valid "News Letters" with the following tag ... <!--messageREACH-object-start-->.  These DO get blocked.  Oddly enough, EVERY one of these messages (31 out of 31) are going to totally bogus accounts on our network so I am not worried ... YET.  Comments please.
Dan
 
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.