> -----Original Message----- > From: Gary Funck [mailto:[EMAIL PROTECTED] > Sent: Saturday, August 02, 2003 4:30 PM > To: Spamassassin List > Subject: [SAtalk] How to detect *only* obfuscated strings? > > > > > Simple example: > > body REMOVE_OBFUSCATE > /(Rem(o|0)ve|Delete).{0,10}y(o|0)ur.{0,10}(e[-]?mai(l|1)|address)/i > describe REMOVE_OBFUSCATE Remove y0ur e-mail > > Above, this pattern will match (among other things): > Remove your e-mail > Rem0ve y0ur e-mai1 > > where the second string has been obfuscated by replacing 'o' > with '0' and > 'l' with '1'. > > Let's say that I think the odds of a spam are higher if the > obfuscated form is > used, than when the regular form is used. Can you suggest a > way to modify this > pattern > so that the pattern only matches obfuscated uses? Note: to > meet my definition > of > obfuscated, only one of the substitutions above must appear. > For example, > Remove y0ur e-mail > will suffice as an obfuscated form of "Remove your e-mail". > >
I'm a little behind in reading and writing today :) You could try the NOT function, that's what I call it :) /rem[^o]ve/i would give you everything BUT remove with an 'o'. But then if you place this in a rule with a phrase like above, and they OBFU just the word 'your' then he rule will fail to hit. This may be a case of using a single word OBFU rule rather then a phrase. As any OBFU is usually spam. Score it low. Remember to look for possible FPs! Typical example is /f.?r.?e.?e/i tries to look for FREE OBFU, but will hit on the word FOREVER :) Remember to start threads about rules with [RD] in the subject. :oP HTH Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
