> -----Original Message----- > From: David B Funk [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 6:15 PM > To: Chris Santerre > Cc: 'German Staltari'; [EMAIL PROTECTED] > Subject: RE: [SAtalk] tricky spam > > > On Thu, 10 Jul 2003, Chris Santerre wrote: > > > > > > > I had a rule note on this from before. Haven't got to it > yet. Basicaly > > because of the FP rate. I'm going to write a few quick > rules that look for > > letterzeroletter and letter1letter. You can see why the FP > rate would be > > high. But I would score this low. possibly combine some of > the rules. Like > > looking for multiple instances of the rule. > > > > It is easy to write a rule for some of the better knowns ones like > > /(f|ph)(o|0)t(o|0)/i > > but with all the ways of doing OBFU it would be kind of big. > > One thing to watch, that particular rule will match on "photo" > (something you might find in 'ham'). If you make it so that there > -must- be an obviscating character in there, you can then assign it > a larger score with less fear of FPs. > > I've got a rule like: > > body PORN_23 /y0ung.{0,3} > (?:m.dels?|g[i,1]r.s?)|p0rtal|rem0ve|bl0wing|blowj0b|0ral|g1rl > s?|phot0s?|c0re|%random_word|%random_text|fxcking|fuck1ng|erec > t1ons|erecti0n|adu1t|materia1|m0ms|penís|erectíon|h0tties|s1te > |0rgasm|b00b|peepsh0w|p u s s i e s|c u m/i > describe PORN_23 Possible porn - attempt to hide porn key-words > score PORN_23 3.4 > > That seems to hit a lot of that kind of porn. > > -- > Dave Funk University of Iowa
Heh, yeah. I wrote that off the top of my head quick. But yeah, I try to make sure I don't do what I just typed :) Usually write it like, /(f|ph)ot0|(f|ph)0to/i Here's a good tip on your above porn rule: /p.?u.?s.?s.?i.?e.?s/i might just grab a lot more. But be mindfull of some FPs. I did one like this before /f.?r.?e.?e/i which hit on the word 'forever' :) Oops. I have a very similar set of rules like yours. But I didn't have s1ite in them. Thanks for that nice one. Chris ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
