From: Marrco <as...@mi...> - 2007-08-22 15:08:24
|
>>> >>> Can=E2=80=99t tell why, but i tested this 2 times and results are = consistent. >>> My regex (header and body) work in a different way switching from >>> 1.3.3.2 (aug.9) to this week versions. Newer version cause a lot of >>> unwanted of bombheader/bombdata rejects. >>> >>> =20 >>> >>> Just changing assp.pl back to the aug.9 version fixes the problem >>> >>> =20 >>> >>> Is there any major difference in regex processing ? >>> >> >>There has been a change if you have been following the assp-test >>conversations. Can you give examples of the erroneous matches? >> > >Back from holidays, so i think i missed the last few thousand = messages... > >Some additional info : > >It looks like there is some difference about end of lines. > >This is the regex I use for headers (to stop forged message IDs = reference) : >^Message-ID:.*@(mydomain\.com) > >Now is blocking > >[....] >Received: by 10.143.11.13 with SMTP id o13mr45646wfi.1187792197724; > Wed, 22 Aug 2007 07:16:37 -0700 (PDT) >Received: by 10.142.87.5 with HTTP; Wed, 22 Aug 2007 07:16:36 -0700 = (PDT) >Message-ID: = <246...@ma...> >Date: Wed, 22 Aug 2007 16:16:36 +0200 >From: testfromgmail <my...@gm...> >To: "marrco" <my...@my...> >Subject: asspregextesting >MIME-Version: 1.0 >Content-Type: multipart/alternative;=20 > boundary=3D"----=3D_Part_100941_12483672.1187792196950" > >and this is what i get in the logs with the newer version : > >Aug-22-07 16:14:41 209.85.162.183 <my...@gm...> to: = my...@my... BombHeaderRe:'Message-ID: = ><246...@ma...> Date: > Wed, 22 Aug 2007 16:07:52 +0200 From: testfromgmail = <my...@gm...> To: "marrco" <my...@my...' > > > A few more tests with 1.3.3.2 (aug.9) (old good working version): Using mail analyzer I got a single hit for=20 >> Feature Matching: >> >> (red dot) Bomb Data RE: 'message-id:date:from:to = :subject:mime-version:content-type;=20 >> b=3DChlOvxaQq5lKH8sFH2/G41fUV/p0+0632/+IpPOmwJX376T1wXFouWAsyIXWIMk = [....](PDT) Message-ID: >> <246...@ma...> Date:=20 >> Wed, 22 Aug 2007 16:16:36 +0200 From: testfromgmail [...] But the mail passed without any problem. So it looks like there is a = small cosmetic error (I think it's bomb header, not bomb data), and a = different processing of end of lines between mail analyzer and standard = assp operation.=20 It looks to me that mail analyzer and newer assp consider ALL headers as = a single line, but older assp processes regex match in a different way (I still did not test body regex and newlines) |