| View previous topic :: View next topic |
| Author |
Message |
jxm287883
Trooper
Joined: May 20, 2007
Posts: 19
Location: USA
|
 Posted: Fri Aug 03, 2007 7:19 am Post subject: AND and OR in filter rules |
|
|
This would be a really useful feature...
At the moment, in the filters, we can only specify that the rules we enter are AND'd or OR'd which is very limiting.
eg. rule and rule and rule and rule
eg. rule or rule or rule or rule
What would be great would be to have the ability to have a special 1st rule which could be AND'd against the others which could be OR'd.
eg rule1 AND (rule OR rule OR rule)
A real life example may help:
if body contains WATCHES and (REPLICA or SWISS or LUXURY or FAKE)
As it is the above would require 4 separate rules -
WATCHES and REPLICA
WATCHES and SWISS
WATCHES and LUXURY
WATCHES and FAKE
|
|
| Back to top |
|
 |
stan_qaz
Premium Member
Joined: Mar 31, 2003
Posts: 10629
|
| Posted: Fri Aug 03, 2007 4:08 pm Post subject: |
|
|
Sounds like it should be easy enough to do using regex filters, check the wiki for how to use them and see if you can get what you want.
_________________
Questions? Try the wiki
http://wiki.castlecops.com/MailWasher_Pro
|
|
| Back to top |
|
|
HarryZonker
Trooper
Joined: Jul 11, 2006
Posts: 13
Location: Washington, DC
|
| Posted: Fri Aug 03, 2007 8:19 pm Post subject: |
|
|
I think what you want is:
Rule 1:
The body contains watches
Rule 2:
The body contains RegExpr (replica|swiss|luxury|fake)
Select "Apply this filter when all of the rules below are satisfied".
Note that Rule 1 can be 'watch' which matches both watch & watches. In Rule 2, the '|' character is the vertical bar usually placed on a keyboard above the '\' character.
Be careful...the filter, as it stands above, will match 'watches' and any one of the other words regardless of where in the email the two words occur, even if they occur separately at opposite ends of the body. As it stands above, it could match legitimate mail (false positives). To fix this you could try something like a near filter...if 'replica' is near 'watches' then match. This could be accomplished with a single RegExpr rule:
(replica|swiss|luxury|fake).{1,10}watches
This will match if one of the words 'replica, swiss, luxury, or fake' is followed by a string of 1 to 10 characters then followed by the word 'watches'. Even this revision could cause false positives...don't enable automatic deletion. An even safer alternative:
(replica|swiss|luxury|fake) +watches
which will match only if 1 or more (indicated the + symbol) spaces separate the words.
|
|
| Back to top |
|
|
jxm287883
Trooper
Joined: May 20, 2007
Posts: 19
Location: USA
|
| Posted: Sat Aug 04, 2007 7:03 am Post subject: |
|
|
wow, that's cool - I'll certainly try that.
|
|
| Back to top |
|
|
jxm287883
Trooper
Joined: May 20, 2007
Posts: 19
Location: USA
|
| Posted: Sat Aug 04, 2007 7:15 am Post subject: |
|
|
is there anyway of using those to catch words that are deliberately separated by spaces/symbols etc?
Those megadik emails are really starting to annoy me. They all contain the letters in that order, but every email they split it up so it's "m eg ad ik" or "M eg a. Di k.".
oh how I whoop and whizgiggle everytime they arrive - not!
so can it be done with a regex and some clever use of wildcards?
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
| Posted: Sat Aug 04, 2007 7:24 am Post subject: |
|
|
Some great tutorial stuff HZ! I offer one caution though. It is very difficult to maintain regex filters that attempt to track spam content. I've found that the learning spam tool is much better at tracking such indicators and that regex filters are better used to track particular header indicators such as Received: field forgeries, Subject line anomolies, attachment types, etc.
My own suggestion would be for MWP to allow the learning filter results to be combined with regex filter results so as to reduce FPs.
Someday perhaps ..... 
|
|
| Back to top |
|
|
HarryZonker
Trooper
Joined: Jul 11, 2006
Posts: 13
Location: Washington, DC
|
| Posted: Thu Aug 09, 2007 1:03 pm Post subject: |
|
|
| Quote: | | very difficult to maintain regex filters that attempt to track spam |
Yeah, I agree, it can be a (sometimes entertaining) battle.
| Quote: | | allow the learning filter results to be combined with regex filter results |
great idea...and fix memory errors....MW crashes more than any other program I paid for...many "Access Violations" and "Internal errors"...well, at least "I have not done anything wrong"...thank god.
|
|
| Back to top |
|
|
jxm287883
Trooper
Joined: May 20, 2007
Posts: 19
Location: USA
|
| Posted: Tue Sep 18, 2007 7:15 am Post subject: |
|
|
| Ikeb wrote: | | regex filters are better used to track particular header indicators such as Received: field forgeries, Subject line anomolies, etc. |
Can you give some examples?
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
|
| Back to top |
|
|
jxm287883
Trooper
Joined: May 20, 2007
Posts: 19
Location: USA
|
| Posted: Sat Sep 22, 2007 12:09 pm Post subject: |
|
|
http://wiki.castlecops.com/Header_filtering
This one doesn't list any strategies for 'received from' (it's listed but blank). A useful one would be to match those that have a blank from addresses...
I have an email in mailwasher right now that has a header, but in the mailwasher view it has no subject, no sent date and no header - so obviously the header is fake - but how do I make a rule for that?
(in this case the 'less than 10 letter' rule has caught it, but a lot of other emails with actual content, a subject line and date also tend to leave out the 'from' info so this would be good to know how to do...)
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
| Posted: Sat Sep 22, 2007 4:14 pm Post subject: |
|
|
Yeah I never got around to explaining the nuances of the Received from field. One thing you'd have to do for sure is to study those fields in many spam (and legit) msgs. For example some ISPs test for legit email servers and place an "(unverifed)" or something similar in the field. Suffice it to say that it's very dependant on ISP implementation as to what will work.
Re: no subject etc.: If you mean no such fields at all, try:
| Quote: | | If the entire header does not contain"Subject:" and not "Date:" then mark the message as mail to be deleted. |
If the fields are blank, try:
| Quote: | | If the Subject field does not contain RegExpr".{2,}" and the entire header does not contain RegExpr"Date:.{5.}" then mark the message as mail to be deleted. |
|
|
| Back to top |
|
|
DearWebby
Lieutenant
Joined: Oct 03, 2003
Posts: 262
Location: Canada
|
| Posted: Mon Oct 08, 2007 8:31 am Post subject: |
|
|
Ikeb, if you can figure out a way to check the date against the current date, you'll nab an additional 2% of spam from spammers, who deliberately future or past dates to sort as most current or to hide in old mail. A filter like that should actually be hardwired into the foundation of the program.
_________________
DearWebby
http://webby.com/humor
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16515
|
| Posted: Mon Oct 08, 2007 2:20 pm Post subject: |
|
|
No way of using a regex for that unfortunately. 
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
