Re: Regex to block Sobig

[Danny Sauer <cloudmaster@cloudmaster.com>]

Marcelo Medici wrote:

> i am trying to filter, using procmail, the offending subjects created in
> email by the sobig worm. i am using this recipe:
> 
> :0 D
> * ^Subject:.(R(E|e): )?(R(E|e): )?(Thank
> you\!)|(Details)|(My.Details)|(Approved)|(Your.application)|(Wicked.screensaver)|(That.movie)$
> /dev/null
> 
> i am purposely using case sensitivity to try and be very limiting ith what
> subjects i filter.
> 
> however even though i am using start and finish anchors ^$, this regex
> still filters out an email which has
> 
>  Details about procmail
> 
> as its subject line. can someone with strong regex skills help me out?

Get rid of all of those excessive parentheses, put the pipes inside of 
some parentheses, and you'll probably have better luck:

* ^Subject:.(R(E|e): )?(R(E|e): )?((Thank 
you\!)|(Details)|(My.Details)|(Approved)|(Your.application)|(Wicked.screensaver)|(That.movie))$

or, even cleaner:

* ^Subject:\s*(R[Ee]: ){0,2}(Thank you\!|Details|My 
Details|Approved|Your application|Wicked screensaver|That movie)$

Your main problem is the pipes outside of the parens - you were matching
* ^Subject:.(R(E|e): )?(R(E|e): )?(Thank you\!)
or
Details
or
My.Details
etc

If you're choosing between several single chars, it's probably easier to 
write [abc] than to write (a|b|c), but that's a personal preference.  I 
think that's a Perl carry-over - the parens store their match as $1 
unless you do (?:a|b|c), which is a lot more clutter than [abc].  If 
you're repeating the same pattern more than once, it's probably worth 
looking at it again to see if it could be grouped - hence the 
(pattern){min,max}.

--Danny


-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.