Hi folks!

I'm trying to build a RegEx to block some e-mails infected by the worm MY_DOOM.A

My idea is to block e-mails wich have the words hi, hello, test or error in his subject.

I made some RegEx like:

- (Subject:\x20(hi|Hi|HI|hello|Hello|HELLO|error|Error|ERROR|test|Test|TEST))

- (subject:\x20(test$|hi|hello$|error$))

- (Subject:(hi$|hello$|test$|error$))

None of them work!!!

Someone can give me a clue?

Thanks everyone and sorry about my bad english, that's not my natural language.

Henrique

What Build of SpamFilter are you running?  The "Subject:" filtering only was added recently.

Dan S.

I have two mx servers.

One of them with the 1.2.0.212 build and the other with the 1.2.0.178 build.

[]'s

Henrique

The "Subject" RegEx matching was not available until version 2 build 211 (or there abouts).

Regards,

Dan S.

I'm having the same issue (the "Subject:" search isn't working).  Per the release notes and bug fixes on the 'Download' page...(the third items shows that version 1.2.0.212 now has the new "Subject:" word search...

// New to VersionNumber = '1.2.0.212';
{TODO -cNew : Add ini option to allow MAIL FROM command without 1st HELO command}
{TODO -cNew : Incoming connections are dropped immediately when the DATA stream exceeds the max message size, before the entire email was received before being rejected}
{TODO -cNew : Subject lines are now prefixed with the words "Subject:", allowing RegEx searches to be more specific by limiting them to the subject line only}

I upgraded to this version, but my "Subject:" keyword searches are not working.

Any help would be greatly appreciated, I too am trying to stop the MyDoom virus in it's tracks by searching the email subjects

Thanks!

GJ

Can you please post an example of what your keyword entry for the "subject" keyword looks like?

Regards,

Dan S.

Sure Dan, thanks for the quick initial response!

Here is what I have in my Keywords Filter area to filter any emails with a subject of "hi" (without the quotes)...

Subject: hi
Subject: (?i)hi
"Subject:" (hi)

All three of these don't work!  I've sent an inbound email from three seperate email accounts that I have on the internet, with the subject of "hi" (without the quotes), and SpamFilter isn't trapping it.

I just re-verified my version on the spamfilter.exe and spamfiltersvc.exe, and they are both: 1.2.0.212.

Thanks!

GJ

Hey Dan whats going on?

I emailed SF support to contact you about your latest regex and no one has responded

Any chance i can get it direct for you

my email address is btrinidad at atx dot com

Thanks

Hmmm ... all of a sudden my Subject RegEx is not working ... but it did.  I am running a private beta that may have an issue though ..  I will check on that.

Dan S.

I too have found the Subject line not working correctly with RegEx, but I think I found out why.

My issue is that I have found a lot of spam mail that does not get caught have Subject lines like this =?ISO-8859-1?B?UmU6QSBNdXN0IHJlYWQgb24gSGVhbHRo?= inside the header Subject line.

The convertion does show up though in the subject line that the user normally sees.  The above unicode converts to Re:A Must read on Health.

My guess here is that SF picks up on the subject line AFTER the unicode is converted.  If this is the case, then using a regex such as ((?i)Subject:\s=.+?=) to filter out the unicode-encoded line above will not work.

Another popular one I get a lot is when the message comes in with the subject line hi and the subject line in the header shows up as unicode, my usual regex that blocks hi will not work.  I'm not sure as to the solution to this, but this is where I see the problems coming from when it comes to filtering based on the subject line. If the subject line in both the header and 'what the user normally sees subject field' match then the regex will work as advertised.

All,

The following examples do, in fact, work but I have no stats on false blocking yet.  After one hour, I got "hits" on 2 out of 3 of them and nailed 23 messages.

((?i)Subject:((re:hit)|((\.){1})|((\w){0,3}(dont wait\!))))

((?i)Subject:(.){3,15}("confirmation n))

((?i)Subject:(at last).{20,})

Any comments on what is wrong with these PLEASE!

Regards,

Dan S.

However,  Check my sanity but the following seems to work:

((?i)Subject:=\?ISO\-\d*\-\1?,*?.*_.*_.*)

PLEASE SHOOT IT DOWN! I have no idea if I am creating a disaster just waiting to happen!

Regards,

Dan S.

Nix the post above ... too many false positives.

I changed it to ((?i)Subject:=\?ISO\-\d*\-\1?.*?better_)  For the moment.

Dan S.