question about email filter (AND condition is possible?)

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
I have an user which wants block

TO "spamtext" , AND with , SUBJECT "spamtext2"

at this time seems to be possible only to insert
separate filters without an AND condition.

Is it possible to enter and an AND condition as above ?

Thank you
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
I analyzed what happens on /etc/filters when I insert a new mail filter .

As it seems , cpanel only understand OR conditions .
If I add by hand an AND rule for example

Code:
if
 $header_from: is "testspam"
 [b]and[/b] $header_to: is "testspam2"
 then
 save "/dev/null" 660
endif  
[code]

and then I add another filter via cpanel , cpanel modify all my rules
with an OR condition 

[code]
if
 $header_from: is "testspam"
 [b]or[/b] $header_to: is "testspam2"
 or $header_subject: is "testspam3"

 then
 save "/dev/null" 660
endif  
[code]


Very bad , because cpanel doesn't  permit us to set filters using also the AND operator .


Any turnaround / solution to bypass this problem ?
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
how can be done with regex the codintion and above ?
 

webignition

Well-Known Member
Jan 22, 2005
1,880
0
166
Radio_Head said:
how can be done with regex the codintion and above ?
A good question! When creating your filter in cPanel, it would have to be of the form:

Filter Any Header that matches regex

You'd then have to enter the correct regular expression. In order to do that, you would need to be very familar with the format of email headers and very familiar with forming regular expressions. I'm not going to explain how to do that here and will instead just point you in the right direction.

Following your example, we want the From: field to be exactly equal to "testspam" and the To: field to be exactly equal to "testspam2".

Start by imagining your email headers, or better still open the headers of an email and take a look. Consider how to match the from field. You have lots of text of unknown length, followed by "From: testspam" followed by more text of unknown length. The same concept applies to the To: field.

The following is roughly what you need to match the From: field:
From:\stestspam

And then what follows will roughly match the To: field:
To:\ntestspam2

The whole regex might then be:
(From:\stestspam)&(To:\stestspam2)

I'm not saying that this is by any means correct - it is an example only and is nowhere near right. Learning how regular expressions work will let you determine what is correct.

When dealing with 'Any Header' matching, there are oodles of things to consider and you must make sure that the regex matches only what you want and nothing else.

For example:
From:\stestspam

would match the From: field if it equalled "testspam". It would also match the From: field if it contained "testspamrandomtext". It would also get a match if the subject of the email contained "From: testspam". And of course it would only work if there was exactly one space in-between "From:" and "testspam".

Further still, any number of additional headers could contain anything and could potentially match what you are looking for.

If you are familar with the format of email headers, you will know that the From: field, or indeed any field, is preceded by a certain number of carriage return and line field characters in a certain order, and you know that the same pattern will follow the end of the field. You'd need to know how to match these correctly to ensure that your regex doesn't pickup false positives.

It's a big topic! You can use regular expressions to correctly match any number of any thing in an email header, but you have to know what you're doing for it to work.
 

sam999

Registered
Jul 18, 2006
2
0
151
This was a very good question about how to implement regex "AND" constructs (as opposed to OR, which is simple -- "|"). Can't figure how to do that either! Seems incredible as it's very basic! Any of you wizards out there who can give an example?

Anyway, the parsing by the CP email filter is very finicky, and you seem to need to use three escape characters for several characters (most notably the backslash itself).

An example:
Code:
\\\\brolex\\\\b|\\\\bce\\\.*brex\\\\b|\\\\bvi\\\.*ra\\\\b
After CPanel passes it to the regex processor it is applied thusly:
Pattern = \brolex\b|\bce.*brex\b|\bvi.*ra\b

(Searches for "rolex", words starting with "ce" and ending with "rex", or words starting with "vi" and ending with "ra".)

You can see how this is actually parsed when you use the filter test, so it's best to experiment with it.
The "documentation" for CP is extremely deficient in not giving any hints about this need for multiple escapes IMHO!!
 
Last edited: