0

I am attempting to create some rules to help deal with the outbound spam we've seen lately from our customers being compromised. To do this I'm using an Exim filter and checking the subject or content against some common themes.

I believe the best way to handle this would be to use lookahead assertions. If I put the lookahead assertion in quotes it fails to work.

So for example:

$header_subject: matches "^(?=.*WORD1)(?=.*WORD2)(?=.*WORD3)"

I've found examples of lookahead use in the Exim config however I have not found it in use as part of a filter which requires the quotes.

Maybe it's just not possible to use lookahead as part of a filter, or maybe there is even a better way to accomplish what I'm doing.

Eric Leschinski
  • 146,994
  • 96
  • 417
  • 335
Corey
  • 9
  • 1

2 Answers2

1

There is no real need for look a head assertions here, they are only required if you don't want to include the words in the match. Your basic regex is sort of correct but it will only match if the words are in order

aaronman
  • 18,343
  • 7
  • 63
  • 78
0

How to handle one specific symptom of compromised accounts being abused by botnets:

https://github.com/Exim/exim/wiki/DetectSMTPAuthAbuse

Todd Lyons
  • 998
  • 12
  • 19