Mailing List Archive

Filter with special characters (!?)
Hi, I'm trying to create a discard rule for the incoming spam email which contains an special characters in a subject.


In the exim log i see this:


2018-08-22 07:48:12 1fsQgL-000554-6N Entrantes y Salientes autenticados - Cuenta_FROM: <casagrognetiff@etb.net.co> - X-Mailer = Microsoft Outlook Express 6.00.2900.2950 - Subject = \277Eres el del video?

discard condition = ${if match{$header_subject:}{^\277Eres el del video?\$}} logwrite = Rejected By SPAM - $header_subject - FROM: "$sender_address"

In incoming mail, the subject contains this character (!)

How should I indicate the rule?

Regards,





--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
Emanuel Gonzalez via Exim-users <exim-users@exim.org> (Mi 22 Aug 2018 20:53:00 CEST):
> Hi, I'm trying to create a discard rule for the incoming spam email which contains an special characters in a subject.
>
> In the exim log i see this:
>
> 2018-08-22 07:48:12 1fsQgL-000554-6N Entrantes y Salientes autenticados - Cuenta_FROM: <casagrognetiff@etb.net.co> - X-Mailer = Microsoft Outlook Express 6.00.2900.2950 - Subject = \277Eres el del video?
>
> discard condition = ${if match{$header_subject:}{^\277Eres el del video?\$}} logwrite = Rejected By SPAM - $header_subject - FROM: "$sender_address"
>
> In incoming mail, the subject contains this character (!)

The \0277 is the upside-down question mark, isn't it?

> How should I indicate the rule?

This question I do not understand.

--
Heiko
Re: Filter with special characters (!?) [ In reply to ]
On 2018-08-22, Emanuel Gonzalez via Exim-users <exim-users@exim.org> wrote:
> 2018-08-22 07:48:12 1fsQgL-000554-6N Entrantes y Salientes autenticados - Cuenta_FROM: <casagrognetiff@etb.net.co> - X-Mailer = Microsoft Outlook Express 6.00.2900.2950 - Subject = \277Eres el del video?
>
> discard condition = ${if match{$header_subject:}{^\277Eres el del video?\$}} logwrite = Rejected By SPAM - $header_subject - FROM: "$sender_address"


You haven't escaped the ? in your regex.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
Hello, I need to use the following symbols exclamation mark and question mark (! ?) as characters in a filter but using HEX does not work.


discard condition = ${if match{$header_subject:}{^\277Eres el del video?\$}}
logwrite = Rejected By SPAM - $header_subject - FROM: "$sender_address"


I understand that using the standard ISO-8859-1 should be work, but no.

\277 is equal to ==> !

but it does not detect it as a character inside the filter

Regards,

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
> From: Emanuel Gonzalez

It's ACL, not a filter.

> In the exim log i see this:
>
> 2018-08-22 07:48:12 1fsQgL-000554-6N Entrantes y Salientes autenticados - Cuenta_FROM: <casagrognetiff@etb.net.co> - X-Mailer = Microsoft Outlook Express 6.00.2900.2950 - Subject = \277Eres el del video?
>
> discard condition = ${if match{$header_subject:}{^\277Eres el del video?\$}} logwrite = Rejected By SPAM - $header_subject - FROM: "$sender_address"

deny condition = ${if match{$header_subject:}\
{\N^\0277Eres el del video\?$\N}}
message = rejected as spam - $header_subject: - FROM: $sender_address

This must be in the data ACL.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
Emanuel Gonzalez via Exim-users <exim-users@exim.org> (Do 23 Aug 2018 12:48:42 CEST):
> Hello, I need to use the following symbols exclamation mark and question mark (! ?) as characters in a filter but using HEX does not work.
>
>
> discard condition = ${if match{$header_subject:}{^\277Eres el del video?\$}}
> logwrite = Rejected By SPAM - $header_subject - FROM: "$sender_address"

- IMHO \277 is the upside down exclamation mark, isn't it?
- Is the header encoded? How does the raw header looks like?

> I understand that using the standard ISO-8859-1 should be work, but no.
It does:

> exim -be '${if eq{!}{\041}{YES}{NO}}'
YES

Can you paste the **raw** header line?

--
Heiko
Re: Filter with special characters (!?) [ In reply to ]
On 2018-08-23, Emanuel Gonzalez via Exim-users <exim-users@exim.org> wrote:
> Hello, I need to use the following symbols exclamation mark and question mark (! ?) as characters in a filter but using HEX does not work.
>
>
> discard condition = ${if match{$header_subject:}{^\277Eres el del video?\$}}
> logwrite = Rejected By SPAM - $header_subject - FROM: "$sender_address"
>
>
> I understand that using the standard ISO-8859-1 should be work, but no.

Do you have the main configuration setting "headers_charset = ISO-8859-1"?

If your configuration file editor also uses ISO-8859-1 you could just
enter the character. (or you use use utf-8 both places, that would
work too)

Your regex should probably say "video\\?" instead of "video?"
that's probably why it's not matching.

--
?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
On Thu, Aug 23, 2018 at 8:57 AM, Julian Bradfield via Exim-users <
exim-users@exim.org> wrote:

> On 2018-08-22, Emanuel Gonzalez via Exim-users <exim-users@exim.org>
> wrote:
> > 2018-08-22 07:48:12 1fsQgL-000554-6N Entrantes y Salientes autenticados
> - Cuenta_FROM: <casagrognetiff@etb.net.co> - X-Mailer = Microsoft Outlook
> Express 6.00.2900.2950 - Subject = \277Eres el del video?
> >
> > discard condition = ${if match{$header_subject:}{^\277Eres el del
> video?\$}} logwrite = Rejected By SPAM - $header_subject - FROM:
> "$sender_address"
>
>
> You haven't escaped the ? in your regex.
>

Instead, the $ is escaped, so a header that would be matched could be:

¿Eres del vide$spamspam oh lovely spam and some nasty unsafe characters



--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
On 2018-08-24, Jan Ingvoldstad via Exim-users <exim-users@exim.org> wrote:
> On Thu, Aug 23, 2018 at 8:57 AM, Julian Bradfield via Exim-users <
> exim-users@exim.org> wrote:
>
>> On 2018-08-22, Emanuel Gonzalez via Exim-users <exim-users@exim.org>
>> wrote:
>> > 2018-08-22 07:48:12 1fsQgL-000554-6N Entrantes y Salientes autenticados
>> - Cuenta_FROM: <casagrognetiff@etb.net.co> - X-Mailer = Microsoft Outlook
>> Express 6.00.2900.2950 - Subject = \277Eres el del video?
>> >
>> > discard condition = ${if match{$header_subject:}{^\277Eres el del
>> video?\$}} logwrite = Rejected By SPAM - $header_subject - FROM:
>> "$sender_address"
>>
>>
>> You haven't escaped the ? in your regex.
>>
>
> Instead, the $ is escaped, so a header that would be matched could be:


> ¿Eres del vide$spamspam oh lovely spam and some nasty unsafe characters
>

no. it was only escaped once.

the dollar needs to be escaped from expansion. \$

the ? needs to be escaped from regex. \\?

--
?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
Hello,


I have tried all the recommendations but it does not work.


The following regular expression does not work


\N^\0277Eres el del video\?$\N


==> scape the sign ? not work


==> Changing the charset from the configuration file does not work either


==> I also need to block an issue with the following string: Re: Tu dep?sito de $13,710.38


i scape the sign ? but not work


Tu dep\363sito de \$13,710.38


any ideas?
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
On Mon, Aug 27, 2018 at 7:32 PM, Emanuel Gonzalez via Exim-users <
exim-users@exim.org> wrote:

> Hello,


...


>
>
> ==> I also need to block an issue with the following string: Re: Tu
> depósito de $13,710.38
>
>
...


>
>
> any ideas?
>

I think you need to stop placing these special rules directly in the Exim
configuration, and instead use a filtering system.

For instance, you can create spam filters with SpamAssassin (
https://github.com/Exim/exim/wiki/SpamAssassin), or you could use Sieve
filtering (
https://www.exim.org/exim-html-current/doc/html/spec_html/filter_ch-sieve_filter_files.html
).

I expect that both of these will be easier to relate to, and you don't have
to reload the Exim configuration (and maybe break all of your email config).

SpamAssassin can also test its own config to see if it validates, before
you restart spamd (or similarly reload the config).
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
I'm filtering the mail before I get to the antispam, to save resources, I do not want to analyze an email that I know is junk mail

________________________________
De: Jan Ingvoldstad <frettled@gmail.com>
Enviado: lunes, 27 de agosto de 2018 14:44:18
Para: Emanuel Gonzalez
Cc: exim-users@exim.org
Asunto: Re: [exim] Filter with special characters (!?)

On Mon, Aug 27, 2018 at 7:32 PM, Emanuel Gonzalez via Exim-users <exim-users@exim.org<mailto:exim-users@exim.org>> wrote:
Hello,

...



==> I also need to block an issue with the following string: Re: Tu dep?sito de $13,710.38


...



any ideas?

I think you need to stop placing these special rules directly in the Exim configuration, and instead use a filtering system.

For instance, you can create spam filters with SpamAssassin (https://github.com/Exim/exim/wiki/SpamAssassin), or you could use Sieve filtering (https://www.exim.org/exim-html-current/doc/html/spec_html/filter_ch-sieve_filter_files.html).

I expect that both of these will be easier to relate to, and you don't have to reload the Exim configuration (and maybe break all of your email config).

SpamAssassin can also test its own config to see if it validates, before you restart spamd (or similarly reload the config).
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
On Mon, Aug 27, 2018 at 7:51 PM, Emanuel Gonzalez <
emanuel_gonzalez@live.com.ar> wrote:

> I'm filtering the mail before I get to the antispam, to save resources, I
> do not want to analyze an email that I know is junk mail
>
>
>
That's pretty minimal for letting SpamAssassin or Sieve do the filtering on
e.g. subject.

I can see how this might be a concern with a large email setup, but with a
large email setup, I wouldn't be hand-editing regexps in the Exim config.

Anyway, it was just some friendly advice to perhaps make things easier for
you.
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
On 08/27/2018 06:32 PM, Emanuel Gonzalez via Exim-users wrote:
> The following regular expression does not work
>
>
> \N^\0277Eres el del video\?$\N
>
>
> ==> scape the sign ? not work

Are you absolutely certain that the character you think is
a question-mark is in fact an ASCII single-byte character
and not either some multibyte thing that displays a
question-mark?
--
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
On 2018-08-27, Emanuel Gonzalez via Exim-users <exim-users@exim.org> wrote:
> Hello,
>
>
> I have tried all the recommendations but it does not work.
>
>
> The following regular expression does not work
>
>
> \N^\0277Eres el del video\?$\N

I think you mean \277 which is "¿" in 8859-9 not \0277 which is a
control character followed by digit 7

OTOH perhaps you want the UTF-8 form
\302\277


>
>==> scape the sign ? not work
>
>
>==> Changing the charset from the configuration file does not work either
>
>
>==> I also need to block an issue with the following string: Re: Tu depósito de $13,710.38
>
>
> i scape the sign ? but not work
>
>
> Tu dep\363sito de \$13,710.38
>
>
> any ideas?


--
?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Filter with special characters (!?) [ In reply to ]
Emanuel Gonzalez via Exim-users <exim-users@exim.org> (Mo 27 Aug 2018 19:32:32 CEST):
> ==> Changing the charset from the configuration file does not work either
> ==> I also need to block an issue with the following string: Re: Tu depósito de $13,710.38

Please attach the raw headers and your configuration snippet
as raw text files, to avoid any conversion done by misbehaving mail
clients.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Re: Filter with special characters (!?) [ In reply to ]
Hello, i use this regex and work fine for me:


\N(?i)(Re: Tu dep\363sito de \$13\,710\.38)\N


Regards,
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/