I'm trying to create signatures to match a particular series of large to
very large spams whose main identifier is a <style> or <script> tag
containing neither CSS or Javascript.
However, I'm having trouble finding a valid signature string for this
pattern. I've tried to create similar signatures for other patterns in
the past with equally little success.
The general case is <fixed string><limited-character-set gibberish>,
with the fixed string about 10 characters, and the gibberish I want to
match out to ~100 characters.
I'd just create a rule in SpamAssassin, but the problem is that these
are *huge*, in some cases - 4+MB of nothing but symbols following
<style>, for instance. Processing even ~200K versions of huge messages
like that is far too costly in SA.
I don't really want to just create a whole bunch of extended signatures
(.ndb) for common prefixes.
In PCRE, what I want a Clam signature to match on looks like:
/some string[asrtyu]{100}/
for suitable variations on "some string" and the character set "asrtyu".
Is this possible?
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
