OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Creating header/body_checks rules for UCE

From: Adam D (emlistsgmail.com)
Date: Thu Oct 19 2006 - 00:27:08 CDT

Noel Jones wrote:
> At 09:47 PM 10/18/2006, Adam D wrote:
>> I have been searching and searching for help/answers on learning to
>> create rules for header_checks beyond the simple /^Subject:.*test/
>> REJECT test. I have fund a lot of samples around on the net and from
>> trial on error I have been able to figure somethings out but I still
>> have a lot yet to learn. Is there a place I can go to learn how to
>> created more than the simple rules for header and body checks? Are
>> all the rules based on Perl and do I need to learn pearl for creating
>> rules?
>
> These are regular expressions, used (with minor differences) in perl and
> many other programs/languages/applications. There are books at any
> large bookstore about creating regular expressions. Try "man egrep" for
> some starting pointers, look on google for more.

Perfect! :) Thank you. That was exactly what I was looking for. A good start esp since I don't have any programming experience. I found a good starting point to learn more about regex. http://www.regular-expressions.info/

>> I have been able to figure out how to create a list of words in a rule
>> (example1|example2|example3) and use it in a rule but as for phrases,
>> postfix just whizzes by without an iota. (This is an example1|This is
>> an example2|This is an example3) does not work the same. Here is my
>> sample
>>
>> /^Subject:.*\(This is an example1|This is an example2|This is an
>> example3)\"$/
>> DISCARD sample test
>>
>> When I use that, Postfix still delivers it without dropping the mail.
>> I am guessing it is because I am missing the proper format to include
>> spaces. I have used "" and '\' but each one did not work.
>
> Don't escape parenthesis or quote marks. You probably don't want the
> quote mark or $ at the end.

Ahh, yes.. I do see the quote mark and it is just a dangling mark without any partner or purpose.

>
>> Another question I have regards the ifthen. I want all mail from a
>> particular address xyzgmail.com with .gif as an attachment to DISCARD
>> while all other address are delivered
>>
>> such as:
>>
>> if address=xyzgmail.com and attachment=*.gif then DISCARD
>
> Postfix header/body checks check one body line or one logical header at
> a time. It is not possible to construct an expression comparing two
> different lines as in your example. The IF/ENDIF construct is intended
> for grouping multiple expressions of the same type, such as grouping
> multiple Subject test together for efficiency.
>

That is a bummer with that example. But I hope I may pickup something else that will at lease help if not put me in a different direction.

Again thank you for pointing me in the right direction. I have a bit of reading to do on regex.

-Adam