On Fri, 2009-09-25 at 12:10 -0500, Rich Graves wrote:
> The bigger picture: I'm working on some ISP/.edu phishing rules
> inspired by the old 419 rules... lots of words and short phrases
> indicating an attempt to get our account information (either through
> email or free web form sites), and a me
On Sat, Sep 26, 2009 at 11:11:05AM -0400, Adam Katz wrote:
> Karsten BrÃ?ckelmann wrote:
> > > This is a plain RE rule I once wrote, to limit some rule to really short
> > > messages only.
> > >
> > >rawbody __KB_RAWBODY_200 /^.{0,200}$/s
>
> Warren Togami mused:
> > I suspect meta limiting A
On Sat, 26 Sep 2009, Adam Katz wrote:
Warren Togami mused:
I noticed too many FP's on short e-mails.
Combining that with Karsten's rawbody check (though I'm not sure what char
length threshold would be a good one), we'd get (please unwrap meta line):
meta IXHASH_CHECK __KB_RAWBODY_200 &&
Karsten Bräckelmann wrote:
> > This is a plain RE rule I once wrote, to limit some rule to really short
> > messages only.
> >
> >rawbody __KB_RAWBODY_200 /^.{0,200}$/s
Warren Togami mused:
> I suspect meta limiting Adam's IXHASH rules with a minimum size subrule
> would eliminate many of th
On 09/26/2009 06:25 AM, Karsten Bräckelmann wrote:
On Fri, 2009-09-25 at 12:10 -0500, Rich Graves wrote:
The bigger picture: I'm working on some ISP/.edu phishing rules
inspired by the old 419 rules... lots of words and short phrases
indicating an attempt to get our account information (either t
On Sat, 26 Sep 2009, Karsten Br?ckelmann wrote:
On Fri, 2009-09-25 at 11:37 -0700, John Hardin wrote:
Try this:
uri URI_GOOG_READER m;^https?://(?:www\.)?google[\.,]com/reader/;i
Another note which I've seen here before: Drop the [.,] for the host
part of a uri rule. It's not a URI if it c
On Fri, 2009-09-25 at 11:37 -0700, John Hardin wrote:
> On Fri, 25 Sep 2009, Guillaume Gelle wrote:
>
> > Don't know what you mean by (?:) and backtracking tho, I'll double check
> > the wiki page about syntax ;)
The (?:foo|bar) is a non-capturing, pure alternation, indicated by
the ?: after the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
to...@starbridge.org a écrit :
> Benny Pedersen a écrit :
>> On fre 25 sep 2009 13:38:19 CEST, "to...@starbridge.org" wrote
>
>>> I've tested with SA 3.2.5 and it's working fine with
>>> Rule2XSBody active. I've tried to delete compiled rules and
>>> c
On Sat, Sep 26, 2009 at 12:25:32PM +0200, Karsten Bräckelmann wrote:
> On Fri, 2009-09-25 at 12:10 -0500, Rich Graves wrote:
> > The bigger picture: I'm working on some ISP/.edu phishing rules
> > inspired by the old 419 rules... lots of words and short phrases
> > indicating an attempt to get our
