Mailing List Archive

How do I search and capture text for use in a rule?
I want to extract the first part of an email address from the
"Delivered-To" header and use it witin a custom rule.

Example pseudo code:

my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;

body __LOCAL_AWKWARD_INTRO /hi $first_part/i


How can I do this in my .cf file?
Re: How do I search and capture text for use in a rule? [ In reply to ]
On Fri, May 07, 2021 at 10:19:49AM -0400, Steve Dondley wrote:
> I want to extract the first part of an email address from the "Delivered-To"
> header and use it witin a custom rule.
>
> Example pseudo code:
>
> my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;
>
> body __LOCAL_AWKWARD_INTRO /hi $first_part/i
>
>
> How can I do this in my .cf file?

With a silly kludge, a full rule that matches the complete raw email with a
single regex. Example in stock rules:

full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm

So something like (untested)

full __LOCAL_AWKWARD_INTRO /^Delivered-To:\s+<([^@>]+)(?=.{1,2048}\bHi\s+\1\b)/sm

If the raw message is Base64 encoded or such, it will never match.
Re: How do I search and capture text for use in a rule? [ In reply to ]
On Fri, 7 May 2021, Henrik K wrote:

> On Fri, May 07, 2021 at 10:19:49AM -0400, Steve Dondley wrote:
>> I want to extract the first part of an email address from the "Delivered-To"
>> header and use it witin a custom rule.
>>
>> Example pseudo code:
>>
>> my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;
>>
>> body __LOCAL_AWKWARD_INTRO /hi $first_part/i
>>
>>
>> How can I do this in my .cf file?
>
> With a silly kludge, a full rule that matches the complete raw email with a
> single regex.

We're discussing neater ways to do that on the dev list, it's something
that's been desired for a long time.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Tomorrow: the 76th anniversary of VE day
Re: How do I search and capture text for use in a rule? [ In reply to ]
On 2021-05-07 10:33 AM, Henrik K wrote:
> On Fri, May 07, 2021 at 10:19:49AM -0400, Steve Dondley wrote:
>> I want to extract the first part of an email address from the
>> "Delivered-To"
>> header and use it witin a custom rule.
>>
>> Example pseudo code:
>>
>> my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;
>>
>> body __LOCAL_AWKWARD_INTRO /hi $first_part/i
>>
>>
>> How can I do this in my .cf file?
>
> With a silly kludge, a full rule that matches the complete raw email
> with a
> single regex. Example in stock rules:
>
> full __FROM_NAME_IN_MSG
> /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm
>
> So something like (untested)
>
> full __LOCAL_AWKWARD_INTRO
> /^Delivered-To:\s+<([^@>]+)(?=.{1,2048}\bHi\s+\1\b)/sm
>

Thanks. I don't quite understand the {1,2048} bit. That looks like a
look ahead assertion up to 2048 characters? What is magical about 2048?
What if the "Delivered-To" header is more than 2048 characters away from
the salutation, which doesn't seem unlikely.
Re: How do I search and capture text for use in a rule? [ In reply to ]
On Fri, 7 May 2021, Steve Dondley wrote:

> On 2021-05-07 10:33 AM, Henrik K wrote:
>> On Fri, May 07, 2021 at 10:19:49AM -0400, Steve Dondley wrote:
>>> I want to extract the first part of an email address from the
>>> "Delivered-To"
>>> header and use it witin a custom rule.
>>>
>>> Example pseudo code:
>>>
>>> my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;
>>>
>>> body __LOCAL_AWKWARD_INTRO /hi $first_part/i
>>>
>>>
>>> How can I do this in my .cf file?
>>
>> With a silly kludge, a full rule that matches the complete raw email with a
>> single regex. Example in stock rules:
>>
>> full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm
>>
>> So something like (untested)
>>
>> full __LOCAL_AWKWARD_INTRO
>> /^Delivered-To:\s+<([^@>]+)(?=.{1,2048}\bHi\s+\1\b)/sm
>>
>
> Thanks. I don't quite understand the {1,2048} bit. That looks like a look
> ahead assertion up to 2048 characters? What is magical about 2048?

A limit there it to prevent runaway matching and excessive scan times.

> What if the "Delivered-To" header is more than 2048 characters away from
> the salutation, which doesn't seem unlikely.

That is indeed a shortcoming with this approach. As Henrik says, it's a
kludge.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Tomorrow: the 76th anniversary of VE day
Re: How do I search and capture text for use in a rule? [ In reply to ]
On Fri, 07 May 2021 10:19:49 -0400
Steve Dondley wrote:

> I want to extract the first part of an email address from the
> "Delivered-To" header and use it witin a custom rule.
>
> Example pseudo code:
>
> my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;
>
> body __LOCAL_AWKWARD_INTRO /hi $first_part/i

Why would you want to do this? Surely the value in this is "hi"
being followed by an email address - regardless of a match. If anything
the mismatch is more spammy.
Re: How do I search and capture text for use in a rule? [ In reply to ]
>On Fri, 07 May 2021 10:19:49 -0400 Steve Dondley wrote:
>> I want to extract the first part of an email address from the
>> "Delivered-To" header and use it witin a custom rule.
>>
>> Example pseudo code:
>>
>> my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;
>>
>> body __LOCAL_AWKWARD_INTRO /hi $first_part/i

On 08.05.21 15:02, RW wrote:
>From: RW <rwmaillists@googlemail.com>
>
>Why would you want to do this? Surely the value in this is "hi"
>being followed by an email address - regardless of a match. If anything
>the mismatch is more spammy.

Do you mean that "hi rw" is more spammy than "hi rwmaillists"?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
Re: How do I search and capture text for use in a rule? [ In reply to ]
On Sat, 8 May 2021 16:59:59 +0200
Matus UHLAR - fantomas wrote:

> >On Fri, 07 May 2021 10:19:49 -0400 Steve Dondley wrote:
> >> I want to extract the first part of an email address from the
> >> "Delivered-To" header and use it witin a custom rule.
> >>
> >> Example pseudo code:
> >>
> >> my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;
> >>
> >> body __LOCAL_AWKWARD_INTRO /hi $first_part/i
>
> On 08.05.21 15:02, RW wrote:
> >From: RW <rwmaillists@googlemail.com>
> >
> >Why would you want to do this? Surely the value in this is "hi"
> >being followed by an email address - regardless of a match. If
> >anything the mismatch is more spammy.
>
> Do you mean that "hi rw" is more spammy than "hi rwmaillists"?

Neither of those are email addresses.

I meant that that:

hi john@example.com

or, if we take the regex literally

hi <john@example.com>

is at least as spammy if that address wasn't used in the envelope than
if it was. So it's sufficient to just check for the address format.
Re: How do I search and capture text for use in a rule? [ In reply to ]
I think the OP was trying to find a way to match "To: <user@host.com>" to
"Hi user".

Loren
Re: How do I search and capture text for use in a rule? [ In reply to ]
On 5/8/2021 11:56 AM, Loren Wilton wrote:
> I think the OP was trying to find a way to match "To: <user@host.com>"
> to "Hi user".
>
>        Loren
>
Correct you are.  I've been eyeballing that myself for CHAOS.

If you have other examples (like "Hi there $USER_PART," "Hello
$USER_PART:", "Dear Esteemed $USER_PART", etc.) let me know.


Thanks.

-- Jared Hall