On 18.04.2018 14:48, Emanuel Gonzalez via Exim-users wrote:
> I've been having no luck with a simple regex to match strings with 20 or less characters.
...
> Subject example: Unlock Your Account
>
>
> discard condition = ${if match{$header_subject:}{.\{0,20\}Unlock Your Account\$}}
> logwrite = Rejected By SPAM - $header_subject - FROM: "$sender_address"
>
> I try to match the rule with other types of subjects used to steal data, but not work. (Example America Alert: Unlock Your Account)
What exactly does not work? Note that you can always test your config
with swaks (from
http://www.jetmore.org/john/code/swaks/) piping into a
exim with debug enabled, e.g.
swaks --pipe "exim -bh 127.0.0.2 -d+expand"
Your condition will match with any number of characters before the
"Unlock..." string, because you didn't say the regex should match at the
beginning. But in general, it should work, as you can test yourself:
$ exim -be
> ${if match{America Alert: Unlock Your Account}{.\{0,20\}Unlock Your
Account\$}}
true
Usually you should not use "discard", because this will give no notice
to the sender (which is probably legit), "reject" is better suited.
If you really want to match 0 to 20 chars (which sounds a little
arbitrary to me), use this:
${if match{$header_subject:}{\N^.{0,20}Unlock Your Account$\N}}
Note that I used \N to prevent string expansion, so you don't have to
escape the regex special chars.
You will probably use more than only one or a few regexes, so it's more
convenient to put them into a textfile:
CFGDIR = /etc/exim
reject
condition = ${lookup {$header_subject:} nwildlsearch
{CFGDIR/reject_subjects} {yes} {no}}
and have the regexes in /etc/exim/reject_subjects like this (you need to
have ^ as the first character to indicate that it's a regex):
^.{0,20}Unlock Your Account$
