regex email filtering

ttremain

Well-Known Member
Feb 16, 2003
256
4
168
cPanel Access Level
Root Administrator
I get a lot of spam recently with subject like:

"Per fe ctTimeToRetr iev eNe wBra ndOfCa ps ule"

The common pattern I see is several occurrences of a lower case letter just before
an upper case one.

I've tried several regular expressions, but do not see how

([a-z][A-Z].+[a-z][A-Z].+[a-z][A-Z].+[a-z][A-Z])

Somehow, using the tester in cPanel, this matches almost anything, including this
subject I picked by random from my emails.
"Winter Update - Important"
The Filter has matched the following condition(s):
$header_subject: matches ([a-z][A-Z].+[a-z][A-Z].+[a-z][A-Z].+[a-z][A-Z])



When I test it with any other regex tool, it does not match this subject.

Am I doing anything wrong?
 

ttremain

Well-Known Member
Feb 16, 2003
256
4
168
cPanel Access Level
Root Administrator
can you scan your server using iscanner ?
I've run iscanner and saw nothing unusual. (ran it in the /usr folder) Several false positives.

Back to the regex filtering, I've tried this same filter on 3 different servers, and they all ring with tons of false positives.

It's probably worth opening up a ticket for.
 

ttremain

Well-Known Member
Feb 16, 2003
256
4
168
cPanel Access Level
Root Administrator
Turns out it's in how EXIM uses regex in their rules. If the rule file uses "MATCHES" the rule becomes case sensitive, if the rule file uses "matches" (like cPanel does) then the rule is not case sensitive.

The tech that helped me with this is passing the new info to cPanel developers.
 

Pony99CA

Registered
Sep 23, 2012
1
0
1
cPanel Access Level
Reseller Owner
Has this been fixed yet? Some idiot is spoofing my domain to send spam, so I'm getting bounces from some invalid E-mail addresses. Worse, spammers are now sending spam to the spoofed E-mail addresses. The E-mail addresses being used fit the pattern of all UPPERCASE hexadecimal digits, so I'm trying to discard any E-mail where the To line matches the following:

^[A-F0-9]+[0-9][A-F]+[0-9][A-F0-9]*@example.com

Unfortunately, because a case-insensitive comparison is used, that also blocks undesired addresses. If I want a case-insensitive match, it's easy enough to do using the following:

^[a-fA-F0-9]+[0-9][a-fA-F]+[0-9][a-fA-F0-9]*@example.com

So I'm not sure why the default for regular expressions (an advanced feature) would default to case-insensitive comparisons.

Steve
 
Last edited: