Skip to main content

Working with Gmail Filters

When my company went from using an IMAP server (which I used to filter using procmail rules) to using Google’s Gmail Cloud architecture for our email, I was excited. I’d been using my Google Gmail account for years, and up until that point, had always done so through IMAP.


After I moved my incredible amount of email up to Google’s servers, I found out that IMAP (Mail.app, Thunderbird, Mutt, etc) wasn’t cutting it very well and I would need to do something different.


Over the past couple of months I’ve been playing with just about every Mac-based email client there is (even Postbox, which seems to be everyone’s biggest “thing” right now), and I keep coming back to the same thing.


Google’s Web browsing Gmail experience. Of course, with the keyboard shortcuts.


I started off just dumping every email into my Inbox and labeling things manually (well, except for listservers). Occasionally using the “Filter Messages like this” button in Gmail.


Well, after using that method for awhile, I got to the point where my Gmail filters were gigantic. I had pages of filters. Sometimes 10-20 for the same label. So I decided I had to do something. I started playing with my filters in much the same way that I used to configure my Procmail rules.


Now, let me start off by saying that Gmail’s filters are not as powerful as Procmail rules and only support some simple regular expressions. For instance, I can’t write a rule in Procmail to handle complex email addresses like “handlers-1234567@address.here.com” Where the 7-digit number is a random ticket number. In procmail I used to be able to do things like “handlers\-\d{7}@address.here.com”, so I tried some experimenting to see what I could come up with, that works.


Well I found out that Parenthetical “Or” statements work fine. For example I have a rule that filters email some of the Snort lists I belong to that looks like this:


(list:("snort-users.lists.sourceforge.net"|"snort-sigs.lists.sourceforge.net"|"chisug.lists.snort.org"|"snort-devel.lists.sourceforge.net"|"snort-inline-users.lists.sourceforge.net"))


So, the filter string is to look at the “list” headers of the email and sort on “snort-users.lists.sourceforge.net” OR “snort-sigs.lists.sourceforge.net”. You get the point. Putting parenthesis around the group and saying “|” (pipe, or) in between each one. Allowed to me to take five list sorting lines and reduce it to one.


What I found out is, you can do this with anything, not just “list”, you can do it on From, To. etc. So I went crazy with consolidation. Heck I have one filter that filters, what I call, “bulk” email. Marketing stuff from companies, websites that I’ve signed up with, advertisements, twitter notices, facebook notices, etc. Skips the inbox, and labels it as “bulk”. Do I want to read it? I might need to look through some of it, but I don’t need it in my inbox. (By the way, this filter has about 75 “or” statements in it, it’s 10 lines long)


As I mentioned before, you can do this with a lot of things. I have a filter that deletes email from certain people. Email comes in with that “From” address? Do not pass Go, do not collect 200 dollars. Go straight to the Delete.


I can’t stop these people from sending me email, but I can certainly delete it automatically.


You can even do complex nested parenthetical groups. For example, my ISC handler email addresses can start with “handler” or “handlers”@domain.sans.org you can even write to isc@domain.sans.org (not the real email address, I’m doing to that eliminate spam, to contact us, go to our website at http://isc.sans.org)


So I have a rule that says:


to:(((handler|handlers)@domain.sans.ccc|(isc|anotheralias)@anotherdomain.sans.ccc))


What I have found is, by doing these groupings, it makes my filters and labels easier to sort and use.


All the email I possibly can, I filter using these methods, tag it with a label and “Skip Inbox”.


Found out I read email much less often now, and when I do it’s sorted much more accurately and efficiently.


Give it a shot.

Comments

Popular posts from this blog

Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are
OffsetDepthDistanceWithinnocaseThese five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:
content:"joel";Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content ma…

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second questio…

Safari 5.1.4 now available

Safari 5.1.4 now available, fixes issues and improves performance | TUAW - The Unofficial Apple Weblog:


Improve JavaScript performanceImprove responsiveness when typing into the search field after changing network configurations or with an intermittent network connectionAddress an issue that could cause webpages to flash white when switching between Safari windowsAddress issues that prevented printing U.S. Postal Service shipping labels and embedded PDFsPreserve links in PDFs saved from webpagesFix an issue that could make Flash content appear incomplete after using gesture zoomingFix an issue that could cause the screen to dim while watching HTML5 videoImprove stability, compatibility and startup time when using extensionsAllow cookies set during regular browsing to be available after using Private BrowsingFix an issue that could cause some data to be left behind after pressing the "Remove All Website Data" button