Wednesday, June 3

Working with Gmail Filters

When my company went from using an IMAP server (which I used to filter using procmail rules) to using Google’s Gmail Cloud architecture for our email, I was excited. I’d been using my Google Gmail account for years, and up until that point, had always done so through IMAP.


After I moved my incredible amount of email up to Google’s servers, I found out that IMAP (Mail.app, Thunderbird, Mutt, etc) wasn’t cutting it very well and I would need to do something different.


Over the past couple of months I’ve been playing with just about every Mac-based email client there is (even Postbox, which seems to be everyone’s biggest “thing” right now), and I keep coming back to the same thing.


Google’s Web browsing Gmail experience. Of course, with the keyboard shortcuts.


I started off just dumping every email into my Inbox and labeling things manually (well, except for listservers). Occasionally using the “Filter Messages like this” button in Gmail.


Well, after using that method for awhile, I got to the point where my Gmail filters were gigantic. I had pages of filters. Sometimes 10-20 for the same label. So I decided I had to do something. I started playing with my filters in much the same way that I used to configure my Procmail rules.


Now, let me start off by saying that Gmail’s filters are not as powerful as Procmail rules and only support some simple regular expressions. For instance, I can’t write a rule in Procmail to handle complex email addresses like “handlers-1234567@address.here.com” Where the 7-digit number is a random ticket number. In procmail I used to be able to do things like “handlers\-\d{7}@address.here.com”, so I tried some experimenting to see what I could come up with, that works.


Well I found out that Parenthetical “Or” statements work fine. For example I have a rule that filters email some of the Snort lists I belong to that looks like this:


(list:("snort-users.lists.sourceforge.net"|"snort-sigs.lists.sourceforge.net"|"chisug.lists.snort.org"|"snort-devel.lists.sourceforge.net"|"snort-inline-users.lists.sourceforge.net"))


So, the filter string is to look at the “list” headers of the email and sort on “snort-users.lists.sourceforge.net” OR “snort-sigs.lists.sourceforge.net”. You get the point. Putting parenthesis around the group and saying “|” (pipe, or) in between each one. Allowed to me to take five list sorting lines and reduce it to one.


What I found out is, you can do this with anything, not just “list”, you can do it on From, To. etc. So I went crazy with consolidation. Heck I have one filter that filters, what I call, “bulk” email. Marketing stuff from companies, websites that I’ve signed up with, advertisements, twitter notices, facebook notices, etc. Skips the inbox, and labels it as “bulk”. Do I want to read it? I might need to look through some of it, but I don’t need it in my inbox. (By the way, this filter has about 75 “or” statements in it, it’s 10 lines long)


As I mentioned before, you can do this with a lot of things. I have a filter that deletes email from certain people. Email comes in with that “From” address? Do not pass Go, do not collect 200 dollars. Go straight to the Delete.


I can’t stop these people from sending me email, but I can certainly delete it automatically.


You can even do complex nested parenthetical groups. For example, my ISC handler email addresses can start with “handler” or “handlers”@domain.sans.org you can even write to isc@domain.sans.org (not the real email address, I’m doing to that eliminate spam, to contact us, go to our website at http://isc.sans.org)


So I have a rule that says:


to:(((handler|handlers)@domain.sans.ccc|(isc|anotheralias)@anotherdomain.sans.ccc))


What I have found is, by doing these groupings, it makes my filters and labels easier to sort and use.


All the email I possibly can, I filter using these methods, tag it with a label and “Skip Inbox”.


Found out I read email much less often now, and when I do it’s sorted much more accurately and efficiently.


Give it a shot.

No comments: