12}\s+){10}/
describeCP_WORDWORD_10 string of 10+ random words
score CP_WORDWORD_10 0.5
bodyCP_WORDWORD_15
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/
describeCP_WORDWORD_15 string of 15+ random words
score CP_WORDWORD_15 2.5
Both of these should have
owed by any characters other than spaces or /
followed by @
So, can you regex and Spamassassin geniuses provide feedback on my
rule? Will it work to catch these phishermen? Will it avoid tagging
legitimate url's?
Thanks
--
Kurt Yode
void tagging
legitimate url's?
Thanks
--
Kurt Yoder
Sport & Health network administrator
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Ecli
us want to give some
hints? Specifically, I'd like to look for any "=" and/or "?" between
the fake domain (in this example www.fdic.gov) and the @. So the
regex would trigger on jumbles of characters simulating http GET
url's.
-
ww.visa.com" vs "63.247.87.138")?
This one seems to work for me:
#try to detect phishing schemes and penalize as spam
uri PHISHERMEN /http:\/\/www\.(\w*?\.)*[a-zA-Z]{2,10}?[^\/\s]*?@/
describe PHISHERMEN probable web url disguised as another url for
Matt Kettler said:
> At 02:39 PM 1/26/04 -0500, Kurt Yoder wrote:
>
>
>>body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/
>>score PHISHERMEN 5.0
>
>
> Don't use the body ruletype.. SA removes all HTML tags before
> running body.
>
> Use u
ion procedures. However, any admins who are used to install
wizards a la Windows will undoubtedly find SA more difficult to
install.
In my mind, there is space in the market for a commercially
supported version of SA. This could include a "canned" installa
project, or something like it. A little version
> control goes a long way!
That's a good idea.
Chris, if you want to set up a Sourceforge project and need any
information/help, I am volunteering. I say this because the
Sourceforge project administrative interface can be a bit
overwhelmin
IL PROTECTED]>
> Date:Tue, January 13, 2004 8:16 pm
> To: [EMAIL PROTECTED]
> ------
>
--
Kurt Yoder
Sport & Health network administrator
---
Thi
ines of tripwire
hits in the header? Any beyond that could be scored as a single
spamassassin entry such as "multiple tripwire hits" and receive the
tripwire score times number of hits. This would make for a
"prettier" header.
--
Kurt Yoder
Sport & Health network ad
Chris Santerre said:
> Popcorn, Weeds, Backhair, and Tripwire. One spam could hit 5 of
> each. But
> I'm still curious. I've got to have more rules then anyone else. I
> get VERY
> long description headers. But I don't get any errors. What SA
> version are
> you running?
Heh... sorry, it's not m
11 matches
Mail list logo
