regex changes in the last few weeks

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

regex changes in the last few weeks

Marrco

Can’t tell why, but i tested this 2 times and results are consistent. My regex (header and body) work in a different way switching from  1.3.3.2 (aug.9) to this week versions. Newer version cause a lot of unwanted of bombheader/bombdata rejects.

 

Just changing assp.pl back to the aug.9 version fixes the problem

 

Is there any major difference in regex processing ?


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Micheal Espinola Jr  (mobile)
Marrco wrote:

>
> Can’t tell why, but i tested this 2 times and results are consistent.
> My regex (header and body) work in a different way switching from
>  1.3.3.2 (aug.9) to this week versions. Newer version cause a lot of
> unwanted of bombheader/bombdata rejects.
>
>  
>
> Just changing assp.pl back to the aug.9 version fixes the problem
>
>  
>
> Is there any major difference in regex processing ?
>

There has been a change if you have been following the assp-test
conversations.  Can you give examples of the erroneous matches?


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Marrco

>>
>> Can’t tell why, but i tested this 2 times and results are consistent.
>> My regex (header and body) work in a different way switching from
>>  1.3.3.2 (aug.9) to this week versions. Newer version cause a lot of
>> unwanted of bombheader/bombdata rejects.
>>
>>  
>>
>> Just changing assp.pl back to the aug.9 version fixes the problem
>>
>>  
>>
>> Is there any major difference in regex processing ?
>>
>
>There has been a change if you have been following the assp-test
>conversations.  Can you give examples of the erroneous matches?
>

Back from holidays, so i think i missed the last few thousand messages...

Some additional info :

It looks like there is some difference about end of lines.

This is the regex I use for headers (to stop forged message IDs reference) :
^Message-ID:.*@(mydomain\.com)

Now is blocking

[....]
Received: by 10.143.11.13 with SMTP id o13mr45646wfi.1187792197724;
        Wed, 22 Aug 2007 07:16:37 -0700 (PDT)
Received: by 10.142.87.5 with HTTP; Wed, 22 Aug 2007 07:16:36 -0700 (PDT)
Message-ID: <[hidden email]>
Date: Wed, 22 Aug 2007 16:16:36 +0200
From: testfromgmail <[hidden email]>
To: "marrco" <[hidden email]>
Subject: asspregextesting
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_Part_100941_12483672.1187792196950"

and this is what i get in the logs with the newer version :

Aug-22-07 16:14:41 209.85.162.183 <[hidden email]> to: [hidden email] BombHeaderRe:'Message-ID: <[hidden email]> Date:
                   Wed, 22 Aug 2007 16:07:52 +0200 From: testfromgmail <[hidden email]> To: "marrco" <[hidden email]'





-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Marrco
>>>
>>> Can’t tell why, but i tested this 2 times and results are consistent.
>>> My regex (header and body) work in a different way switching from
>>>  1.3.3.2 (aug.9) to this week versions. Newer version cause a lot of
>>> unwanted of bombheader/bombdata rejects.
>>>
>>>  
>>>
>>> Just changing assp.pl back to the aug.9 version fixes the problem
>>>
>>>  
>>>
>>> Is there any major difference in regex processing ?
>>>
>>
>>There has been a change if you have been following the assp-test
>>conversations.  Can you give examples of the erroneous matches?
>>
>
>Back from holidays, so i think i missed the last few thousand messages...
>
>Some additional info :
>
>It looks like there is some difference about end of lines.
>
>This is the regex I use for headers (to stop forged message IDs reference) :
>^Message-ID:.*@(mydomain\.com)
>
>Now is blocking
>
>[....]
>Received: by 10.143.11.13 with SMTP id o13mr45646wfi.1187792197724;
>        Wed, 22 Aug 2007 07:16:37 -0700 (PDT)
>Received: by 10.142.87.5 with HTTP; Wed, 22 Aug 2007 07:16:36 -0700 (PDT)
>Message-ID: <[hidden email]>
>Date: Wed, 22 Aug 2007 16:16:36 +0200
>From: testfromgmail <[hidden email]>
>To: "marrco" <[hidden email]>
>Subject: asspregextesting
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="----=_Part_100941_12483672.1187792196950"
>
>and this is what i get in the logs with the newer version :
>
>Aug-22-07 16:14:41 209.85.162.183 <[hidden email]> to: [hidden email] BombHeaderRe:'Message-ID: ><[hidden email]> Date:
>                   Wed, 22 Aug 2007 16:07:52 +0200 From: testfromgmail <[hidden email]> To: "marrco" <[hidden email]'
>
>
>

A few more tests with 1.3.3.2 (aug.9) (old good working version):
Using mail analyzer I got a single hit for

>> Feature Matching:
>>
>> (red dot) Bomb Data RE: 'message-id:date:from:to :subject:mime-version:content-type;
>> b=ChlOvxaQq5lKH8sFH2/G41fUV/p0+0632/+IpPOmwJX376T1wXFouWAsyIXWIMk [....](PDT) Message-ID:
>> <[hidden email]> Date:
>> Wed, 22 Aug 2007 16:16:36 +0200 From: testfromgmail [...]

But the mail passed without any problem. So it looks like there is a small cosmetic error (I think it's bomb header, not bomb data), and a different processing of end of lines between mail analyzer and standard assp operation.
It looks to me that mail analyzer and newer assp consider ALL headers as a single line, but older assp processes regex match in a different way

(I still did not test body regex and newlines)

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Micheal Espinola Jr  (mobile)
In reply to this post by Marrco
The problem is your greedy wildcard. I'm surprised you haven't had issues before.
--
ME2  (mobile)


-----Original Message-----
From: "Marrco" <[hidden email]>
Date: Wednesday, Aug 22, 2007 10:52 am
Subject: Re: [Assp-test] regex changes in the last few weeks
To: <[hidden email]>Reply-To: [hidden email]


>>>
>>> Can’t tell why, but i tested this 2 times and results are consistent.
>>> My regex (header and body) work in a different way switching from
>>>  1.3.3.2 (aug.9) to this week versions. Newer version cause a lot of
>>> unwanted of bombheader/bombdata rejects.
>>>
>>>  
>>>
>>> Just changing assp.pl back to the aug.9 version fixes the problem
>>>
>>>  
>>>
>>> Is there any major difference in regex processing ?
>>>
>>
>>There has been a change if you have been following the assp-test
>>conversations.  Can you give examples of the erroneous matches?
>>
>
>Back from holidays, so i think i missed the last few thousand messages...
>
>Some additional info :
>
>It looks like there is some difference about end of lines.
>
>This is the regex I use for headers (to stop forged message IDs reference) :
>^Message-ID:.*@(mydomain\.com)
>
>Now is blocking
>
>[....]
>Received: by 10.143.11.13 with SMTP id o13mr45646wfi.1187792197724;
>        Wed, 22 Aug 2007 07:16:37 -0700 (PDT)
>Received: by 10.142.87.5 with HTTP; Wed, 22 Aug 2007 07:16:36 -0700 (PDT)
>Message-ID: <[hidden email]


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Fritz Borgstedt
In reply to this post by Marrco

>Can’t tell why, but i tested this 2 times and results are consistent.
>My regex (header and body) work in a different way switching from
> 1.3.3.2 (aug.9) to this week versions. Newer version cause a lot of
>unwanted of bombheader/bombdata rejects.

The mail I send to this list was:


In 1.3.3.2 (31) the modifiers for regexen like bombre and whitere are
changed from /si to /msi.

 The /s modifier treat a string as single line.  The "/s"  modifier
overrides the $* setting. That is, no matter what $* contains, /s will
force "^" to match only at the beginning of the string and "$" to
match only at the end (or just before a newline at the end) of the
string. Together, as /ms, they let the "." match any character
whatsoever, while still allowing "^" and "$" to match, respectively,
just after and just before newlines within the string.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Marrco
In reply to this post by Micheal Espinola Jr (mobile)
> The problem is your greedy wildcard.

To tell the truth i took the idea from postfix manual.
http://www.postfix.org/BACKSCATTER_README.html
And the wildcard use comes from there.

> I'm surprised you haven't had issues before.

Nope, my wildcards are causing problems only since when I tested the latest
assp. No problem with older (up to 09aug) version. So it looks to me that
there is a changed default somewhere that treats multiple lines as a single
one.  

I'm using wildcards also for
Return\-Path\:.*?<spammername
From\:.*?<spammername

To match a single line in the headers with both the strings in the same
header line.

What regex do you suggest to raplace mine that was :

^Message-ID:.*@(mydomain\.com)


Tia
 marco

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Marrco
In reply to this post by Fritz Borgstedt
> The mail I send to this list was:
>
>
> In 1.3.3.2 (31) the modifiers for regexen like bombre and whitere are
> changed from /si to /msi.
>
>  The /s modifier treat a string as single line.  The "/s"  modifier
> overrides the $* setting. That is, no matter what $* contains, /s will
> force "^" to match only at the beginning of the string and "$" to
> match only at the end (or just before a newline at the end) of the
> string. Together, as /ms, they let the "." match any character
> whatsoever, while still allowing "^" and "$" to match, respectively,
> just after and just before newlines within the string.

Hmm.. ok, I missed it (holidays), so that's what screwed many of my regex.

Thx for the prompt reply fritz. What kind of fix do you suggest for
expression like :

^Message-ID:.*@(mydomain\.com)

And all other when I need a match of multiple word inside a single line.

And why you changed the defaults ? I'm sure there is a reason, but I can't
get it....

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Micheal Espinola Jr  (mobile)
In reply to this post by Fritz Borgstedt
Fritz Borgstedt wrote:

> The mail I send to this list was:
>
>
> In 1.3.3.2 (31) the modifiers for regexen like bombre and whitere are
> changed from /si to /msi.
>
>  The /s modifier treat a string as single line.  The "/s"  modifier
> overrides the $* setting. That is, no matter what $* contains, /s will
> force "^" to match only at the beginning of the string and "$" to
> match only at the end (or just before a newline at the end) of the
> string. Together, as /ms, they let the "." match any character
> whatsoever, while still allowing "^" and "$" to match, respectively,
> just after and just before newlines within the string.

A most excellent modification.  I think I forgot to mention it before:
Thank you!

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Micheal Espinola Jr  (mobile)
In reply to this post by Marrco
Marrco wrote:
> To tell the truth i took the idea from postfix manual.
> http://www.postfix.org/BACKSCATTER_README.html
> And the wildcard use comes from there.

I've seen that page before.  There are good concepts there, but I do not
agree with the examples - for the exact example of the problem you are
having.

I would use lookbehinds to match my own domains.  Its something I've
been thinking of working on but I just haven't gotten to it yet.

If you implement SPF, you are a less likely to get backscatter because
the original email sent would have FAILED SPF.

Be sure to use the "-all" qualifier or you aren't telling the receiving
server forcing a rejection.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Lighter Bombre

Hill, Brett
Just out of curiosity, is there a problem with the pre-Lighter
Bombre.txt file that it does not conform to the latest version of ASSP?

I've been running the old BombRe.txt file through all of this and I have
not experienced any performance issues that I'm aware of.

Brett


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Lighter Bombre

Fritz Borgstedt
[hidden email] schreibt:
>I've been running the old BombRe.txt file through all of this and I
>have
>not experienced any performance issues that I'm aware of.

Go on with your old one. There was a request for a lighter one.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Fritz Borgstedt
In reply to this post by Micheal Espinola Jr (mobile)

>
>There has been a change if you have been following the assp-test
>conversations.

For 1.3.3.3 I put an option in to have msi or si.

In section "Spam Control".


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Marrco
In reply to this post by Micheal Espinola Jr (mobile)
>> To tell the truth i took the idea from postfix manual.
>> http://www.postfix.org/BACKSCATTER_README.html
>> And the wildcard use comes from there.
>
>I've seen that page before.  There are good concepts there, but I do not
>agree with the examples - for the exact example of the problem you are
>having.

That's what tests and test domains are for ! To verify that newer (and
better) versions don't break some behaviors.

I think those examples are a very good first layer of protection against
backscatter. And that's for me really the hardest kind of spam to filter. I
do hate autoresponders, ndn and requests to resolve captchas or to reply to
autogenerated mails. It's not easy to filter all of them without breaking
legit mail flow. Especially when a spammer forges a valid email for a
spamrun. And you're getting thousand of stupid auto-emails (out of office,
I'm on holyday, thx for your enquiry, mailbox full, in many exotic
languages...)

> I would use lookbehinds to match my own domains.  Its something I've
> been thinking of working on but I just haven't gotten to it yet.

Pls tell me if you have a better solution that the one suggested in the
postfix backscatter readme. I'm really interested !

> If you implement SPF, you are a less likely to get backscatter because
> the original email sent would have FAILED SPF.

That would be nice, but you can't always implement SPF an all domains you
have. (.forward problems etc)
And not many servers verify SPF records, so that's just part of the solution

Right now I'd suggest to keep all your MTAs under a separate domain name
that ALL of your users, so it's easier to trash all the mail that has forged
headers, received lines or message-id anywhere in the message. In fact the
single best regex I use to block backscatter on my server is a check in the
body (not headers) for a forged message-id (I know exactly how my legit
message-id are).

But I'm hungry to learn new tricks to block backscatter.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Marrco
In reply to this post by Fritz Borgstedt
>>There has been a change if you have been following the assp-test
>>conversations.
>
> For 1.3.3.3 I put an option in to have msi or si.
>
> In section "Spam Control".

Thx a lot !

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Micheal Espinola Jr  (mobile)
In reply to this post by Marrco
Marrco wrote:
> That would be nice, but you can't always implement SPF an all domains you
> have. (.forward problems etc)
>  

Thats what SRS is for.

> And not many servers verify SPF records, so that's just part of the solution
>  

You have absolutely no reason to say that.  Got stats??  And if you dont
publish your own records, no one can use them (and you contribute to the
global problem of backscatter).   Ultimately, whats the harm in
publishing???

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Marrco
> Marrco wrote:
>> That would be nice, but you can't always implement SPF an all domains you
>> have. (.forward problems etc)
>>  
>
> Thats what SRS is for.

Correct. Thx for pointing that out. I said something useless

I mean, there are lots of other reasons why you can't (don't want to) use
SPF

>>> And not many servers verify SPF records, so that's just part of the
solution
>>>  
>
>You have absolutely no reason to say that.  Got stats??  And if you dont

I did a test last year verifying (just a quick dns lookup for the spf txt
record) a few thousand domains connecting to my MTA, and numbers where low.
What i mean is that TODAY you can't solve all of your backscatter problems
just publishing a SPF record. When a spammer forges a valid email address
you get tons of bounces, and it's not easy to keep your user mailbox usable.


SPF can be part of the solution, but you need additional filters. Well
managed servers that check SPF record don't cause backscatter. Usually I get
that spam from poor managed servers.

What do you think about
Mail::DeliveryStatus::BounceParser
To extract the message-id and do some additional checks in order to sort
valid bounces from backscatter.
Do you have any experience with that ?

Right now my single regex doing most against backscatter is

(BombRegExInData.txt)
Message-ID:.*@mydomain\.com>

But I do know that my Message-IDs don't look like that !

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Micheal Espinola Jr  (mobile)
Marrco wrote:
> I did a test last year verifying (just a quick dns lookup for the spf txt
> record) a few thousand domains connecting to my MTA, and numbers where low.
> What i mean is that TODAY you can't solve all of your backscatter problems
> just publishing a SPF record. When a spammer forges a valid email address
> you get tons of bounces, and it's not easy to keep your user mailbox usable.
>  

Nothing in anti-spam-land is a nail-in-the-coffin one-size-fits-all
deal.  But SPF is (or should be) a part of your anti-spam solution.  You
should check for SPF and you should publish SPF records yourself.  And
do it with the "-all" notation.  tildes don't count!!!

(did I use enough hyphens?)  :-)

> SPF can be part of the solution, but you need additional filters. Well
> managed servers that check SPF record don't cause backscatter. Usually I get
> that spam from poor managed servers.
>  

More and more people check for SPF.  There isn't anything to check if
you don't publish the DNS record.  I understand what you are saying, but
you are making assumptions.  Publishing SPF can only help the
situation.  And its not well-managed servers that cause backscatter.
Its poorly implemented spam and anti-virus filters.

I belong to email and and anti-virus discussion distribution lists, and
they (my fellow members) are the worst perpetrators of backscatter
because of the tools they use (Symantec and Antigen are huge offenders
when it comes to bouncing an email because of a violation).  Its the
tools people use, and how they work - not that they are poorly managed.

> What do you think about
> Mail::DeliveryStatus::BounceParser
> To extract the message-id and do some additional checks in order to sort
> valid bounces from backscatter.
> Do you have any experience with that ?
>  

Never heard of it, but it sounds interesting.

> Right now my single regex doing most against backscatter is
>
> (BombRegExInData.txt)
> Message-ID:.*@mydomain\.com>
>
> But I do know that my Message-IDs don't look like that !

I wish I had the time to finish the backscatter regex I was working on -
but I simply don't!  :-(

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Charles Marcus
On 8/22/2007, Micheal Espinola Jr ([hidden email]) wrote:
> I belong to email and and anti-virus discussion distribution lists,
> and they (my fellow members) are the worst perpetrators of
> backscatter because of the tools they use (Symantec and Antigen are
> huge offenders when it comes to bouncing an email because of a
> violation). Its the tools people use, and how they work - not that
> they are poorly managed.

In most cases, these tools *can* be configured properly - but I agree
that their out-of-box default configurations cause lots of grief.

--

Best regards,

Charles

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: regex changes in the last few weeks

Marrco
>> I belong to email and and anti-virus discussion distribution lists,
>> and they (my fellow members) are the worst perpetrators of
>> backscatter because of the tools they use (Symantec and Antigen are
>> huge offenders when it comes to bouncing an email because of a
>> violation). Its the tools people use, and how they work - not that
>> they are poorly managed.
>
>In most cases, these tools *can* be configured properly - but I agree
>that their out-of-box default configurations cause lots of grief.

Don't forget also to block all the spam protection software sending messages
like

" Thank you for your recent email. My inbox is protected by ChoiceMail One,
the leader in anti-spam technology. ChoiceMail is holding the message you
sent because your email address is not yet on my list of approved senders.

Please use the link below to verify your identity. This is a ONE TIME
process and only takes a few seconds."

That's even worse. To keep their mailbox clean they spam (backscatter) me.

I usually send a small notice to the postmaster and when I don't get a
prompt answer and solution i often blacklist their MTA. Hope they can read
the 5xx message

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
12