> -----Original Message----- > From: Chris Santerre > Sent: Monday, August 04, 2003 8:53 AM [...] > > > > > > I'm a little behind in reading and writing today :) > > You could try the NOT function, that's what I call it :) > > /rem[^o]ve/i would give you everything BUT remove with an 'o'. > But then if > you place this in a rule with a phrase like above, and they OBFU just the > word 'your' then he rule will fail to hit. This may be a case of using a > single word OBFU rule rather then a phrase. As any OBFU is usually spam. > > Score it low. >
Good idea, thanks. I was also thinking of using META rules: body REMOVE_REQ /(Remove|Delete).{0,10}your.{0,10}(e[-]?mail|address)/i describe REMOVE_REQ Remove Request body REMOVE_REQ_ALT /(Rem(o|0)ve|Delete).{0,10}y(o|0)ur.{0,10}(e[-]?mai(l|1)|address)/i descrive REMOVE_REQ_ALT Remove Request with possible alternate spellings meta REMOVE_REQ_OBFU REMOVE_REQ_ALT && !REMOVE_REQ describe REMOVE_REQ_OBFU Remove Request (obfuscated) A bit of a pain, but it would do the job, no? > Remember to look for possible FPs! Typical example is > /f.?r.?e.?e/i tries to > look for FREE OBFU, but will hit on the word FOREVER :) > Thanks for the tip. I usually reserve 'gappy' tests for longer strings, like: body CORAL_CALCIUM /C.?o.?r.?a.?l.?C.?a.?l.?c.?i.?u.?m/i > Remember to start threads about rules with [RD] in the subject. :oP done. <g> ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk