Rule filter for entire message text?

For all users, who don't speak German!

Moderator: Forum-Team

Rule filter for entire message text?

Beitragvon AlexV » 10. Dez 2014, 15:13

Is there any way to have the rule filter match against the entire raw content of the message? I've tried using both "Message text" and "Message (with HTML)", but neither do the job.

An example of the sort of email I'm trying to create a rule for:
Code: Alles auswählen
Return-path: <snip>
Envelope-to: <snip>
Delivery-date: Wed, 10 Dec 2014 13:31:39 +0000
Received: from 451be902.cst.lightpath.net ([69.27.233.2]:51050)
   by pulse.cyberhostuk.net with esmtp (Exim 4.84)
   (envelope-from <snip>)
   id 1XyhMe-000AdM-Kq
   for snip; Wed, 10 Dec 2014 13:31:39 +0000
From: "Burt Cherry" <snip>
Reply-To: "Burt Cherry" <snip>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_91910816_9617564981.4146680527113"
X-Mailer: MustangList [msg-1248CAA49E7.92FF8A8C6C3525A en-mailC8959CB38652602B]
X-RPTags: List Type Content
X-MLlistcampaign: 408-0693976
X-rpcampaign: prime3959735
X-ML-Message-ID: <<QjBBQ0FCQkY1OERDOUM=>>
X-ML-Message-Source: <<REY2ODkyODIwOTBDM0I2NzQ3NA==>>
X-ML-Message-Trk: <<RUE3MzdFNDY2NTA1>>
Subject: Remittance Advice for 529.75 GBP
To: <snip>
Message-Id: <20141210083135.02CAB061C@451be902.cst.lightpath.net>
Date: Wed, 10 Dec 2014 08:31:35 -0400

------=_Part_91910816_9617564981.4146680527113
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Please find attached a remittance advice for recent BACS payment.

=20

Any queries please contact us.

=20

Burt Cherry

Senior Accounts Payable Specialist

K J Watking & Co

Tel: 01469 865422

------=_Part_91910816_9617564981.4146680527113
Content-Type: multipart/related; boundary="----=_Part_54156138_0471389075.1698752166149"

------=_Part_54156138_0471389075.1698752166149
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<html>
<div>Please find attached a remittance advice for recent BACS =
payment.</div>
<div>&nbsp;</div>
<div>Any queries please contact us.</div>
<div>&nbsp;</div>
<div>Burt Cherry</div>
<div>Senior Accounts Payable Specialist</div>
<div>K J Watking &amp; Co</div>
<div>Tel: 01469 865422</div>
</html>




------=_Part_54156138_0471389075.1698752166149
Content-Type: application/vnd.ms-excel; name="BAC8544864VR.xls"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="BAC8544864VR.xls"

0M<snip>AA
------=_Part_54156138_0471389075.1698752166149--

------=_Part_91910816_9617564981.4146680527113--

What I want the rule to do is find, for example, the bit that says "Content-Type: application/vnd.ms-excel;" and use that as a rule to block it. (Yes, I know that might trigger for legitimate Excel files, there are other rules involved too and that's not the point of this post)

I have also tried a rule matching against the Content-Type header, but it doesn't regard the headers inside the nested related part as being headers. So, if there was a way to match against the raw content of the entire email, that would be useful..

Thanks,

Alex
AlexV
Spam-Massenmörder
Spam-Massenmörder
 
Plugin-Programmierer
 
Beiträge: 139
Registriert: 26. Nov 2005, 12:25

Re: Rule filter for entire message text?

Beitragvon Chactory » 25. Dez 2014, 12:58

Hi Alex!

Thank you very much for posting this question of high interest to me! :) And excuse me for responding so late – but I had too much work in my real-live, and too less plans how to think about this problem.

I had already tried to work out rules with the “content-type” feature, but they failed, as it happened to your attempt.

spami-rule-contenttype.jpg
This is a screen-shot from an attempt to construe an empty-mail rule.
spami-rule-contenttype.jpg (55.12 KiB) 4315-mal betrachtet

The second condition in the rule contains the following regular expression:
(?is)((content-type: image)|(content-disposition: inline)|(cid:image))

But that’s the point where I’m stuck … I think – motivated by your posting – I’m going on experimenting with more and first more simpler regular expressions.

Sincere regards,
Chactory
HilfeHelp «en»TippsAnbuva's FAQBob's FAQ «en»SpamwortlisteRegelfilterScreenshotsSSL/TLSSpami 1.6.0
Vostro 3450, Intel Core i5 2410M 2,3 GHz, 4 GB DDR3 SDRAM 1333 MHz, Windows 7 Pro 64 Bit SP1

Bild
Benutzeravatar
Chactory
Administrator
Administrator
 
Administration
Beta-Tester
Forum-Team
 
Beiträge: 9593
Registriert: 9. Jan 2004, 23:19
Wohnort: Kiel (D)

Re: Rule filter for entire message text?

Beitragvon AlexV » 29. Dez 2014, 15:25

Hi Chactory,

I'd be very interested to know if you find anything. From my testing, I don't think there's any possible regex that can do the job; it won't be applied against the full-text of the email in any case.

Eventually I cheated and knocked up a horribly dirty little plugin in C++ to do that specific matching job, but I'd hardly advise that as a proper solution!

Alex
AlexV
Spam-Massenmörder
Spam-Massenmörder
 
Plugin-Programmierer
 
Beiträge: 139
Registriert: 26. Nov 2005, 12:25

Re: Rule filter for entire message text?

Beitragvon Chactory » 1. Jan 2015, 14:44

Hi AlexV!

I'm stuck again ... :(

Spamihilator's Rule Filter is able to recognize predefined items within the mail header section and strings within the mail body. In the header field you may even define terms.

Example in screen shots:
zzz1.png
zzz1.png (66.42 KiB) 4272-mal betrachtet
zzz2.png
zzz2.png (61.05 KiB) 4272-mal betrachtet

Now I'm quoting an example mail source code:

*** Header ***

Return-Path: my_mail_adress@mail_provider.de
Received: from something.provider.net ([212.227.15.15]) by mx-blabla.provider.net (mxprovider105) with
ESMTPS (Nemesis) id 0Mfk76-1YRE8T2xpU-00NBJd for <adressee@provider.de>; Wed, 31 Dec
2014 21:36:09 +0100
MIME-Version: 1.0
Message-ID: <trinity-d3935ac4-6dbb-4e72-b2dc-canyou-tellme@3capp-provider-bs43>
From: "It’s me myself" <my_mail_adress@provider.de>
To: adressee@provider.de
Subject: Mail with attachment
Content-Type: multipart/mixed; boundary=sgnirkm-69f2cf58-8e38-47c9-8e3d-a7e7f600f8e7
Date: Wed, 31 Dec 2014 21:36:09 +0100
Importance: normal
Sensitivity: Normal
X-Priority: 3
X-Provags-ID: V03:K0:Qcy … D28=
X-UI-Out-Filterresults: notjunk:1;
Envelope-To: <adressee@provider.de>
X-UI-Filterresults: notjunk:1;V01:K0:pI8d4ou+0zI=:fXm … ATK

*** Mail body ***

--sgnirkm-69f2cf58-8e38-47c9-8e3d-a7e7f600f8e7
Content-Type: text/html; charset=UTF-8

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Mail with attachment</div></div></body></html>

*** Attachment section ***

--sgnirkm-69f2cf58-8e38-47c9-8e3d-a7e7f600f8e7
Content-Type: image/png
Content-Disposition: attachment; filename=image06.png
Content-Transfer-Encoding: base64

iVB … (image code) … YII=
--sgnirkm-69f2cf58-8e38-47c9-8e3d-a7e7f600f8e7--

When I'm using or defining header section items, Spamihilator recognizes the rules truely. When I'm using the mail-text item, it recognizes defined text strings.

But, unfortunately, it seem not to be possible to define other mail-section items (sorry, Alex, I just don't know the correct names). And, just as well, it's not possible to recognize such items with the "Nachrichtentext" or the "Nachricht (mit Html)" item.

It seems that Spamihilator can't operate with other sections than the header and the text. And I don't know if Michel Krämer will be able to modify the program code for this.

Kind regards,
Chactory
HilfeHelp «en»TippsAnbuva's FAQBob's FAQ «en»SpamwortlisteRegelfilterScreenshotsSSL/TLSSpami 1.6.0
Vostro 3450, Intel Core i5 2410M 2,3 GHz, 4 GB DDR3 SDRAM 1333 MHz, Windows 7 Pro 64 Bit SP1

Bild
Benutzeravatar
Chactory
Administrator
Administrator
 
Administration
Beta-Tester
Forum-Team
 
Beiträge: 9593
Registriert: 9. Jan 2004, 23:19
Wohnort: Kiel (D)


Zurück zu English Forum

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 2 Gäste

 industrious-southeast