On Thu, 10 Jul 2003, Chris Santerre wrote:
>
>
> I had a rule note on this from before. Haven't got to it yet. Basicaly
> because of the FP rate. I'm going to write a few quick rules that look for
> letterzeroletter and letter1letter. You can see why the FP rate would be
> high. But I would score this low. possibly combine some of the rules. Like
> looking for multiple instances of the rule.
>
> It is easy to write a rule for some of the better knowns ones like
> /(f|ph)(o|0)t(o|0)/i
> but with all the ways of doing OBFU it would be kind of big.
One thing to watch, that particular rule will match on "photo"
(something you might find in 'ham'). If you make it so that there
-must- be an obviscating character in there, you can then assign it
a larger score with less fear of FPs.
I've got a rule like:
body PORN_23 /y0ung.{0,3}
(?:m.dels?|g[i,1]r.s?)|p0rtal|rem0ve|bl0wing|blowj0b|0ral|g1rls?|phot0s?|c0re|%random_word|%random_text|fxcking|fuck1ng|erect1ons|erecti0n|adu1t|materia1|m0ms|penís|erectíon|h0tties|s1te|0rgasm|b00b|peepsh0w|p
u s s i e s|c u m/i
describe PORN_23 Possible porn - attempt to hide porn key-words
score PORN_23 3.4
That seems to hit a lot of that kind of porn.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
