> -----Original Message-----
> From: Chris Santerre
> Sent: Monday, August 04, 2003 8:53 AM
[...]
> >
> >
>
> I'm a little behind in reading and writing today :)
>
> You could try the NOT function, that's what I call it :)
>
> /rem[^o]ve/i  would give you everything BUT remove with an 'o'.
> But then if
> you place this in a rule with a phrase like above, and they OBFU just the
> word 'your' then he rule will fail to hit. This may be a case of using a
> single word OBFU rule rather then a phrase. As any OBFU is usually spam.
>
> Score it low.
>

Good idea, thanks.

I was also thinking of using META rules:

body REMOVE_REQ /(Remove|Delete).{0,10}your.{0,10}(e[-]?mail|address)/i
describe REMOVE_REQ Remove Request

body REMOVE_REQ_ALT
/(Rem(o|0)ve|Delete).{0,10}y(o|0)ur.{0,10}(e[-]?mai(l|1)|address)/i
descrive REMOVE_REQ_ALT Remove Request with possible alternate spellings

meta REMOVE_REQ_OBFU REMOVE_REQ_ALT && !REMOVE_REQ
describe REMOVE_REQ_OBFU Remove Request (obfuscated)

A bit of a pain, but it would do the job, no?

> Remember to look for possible FPs! Typical example is
> /f.?r.?e.?e/i tries to
> look for FREE OBFU, but will hit on the word FOREVER :)
>

Thanks for the tip. I usually reserve 'gappy' tests for longer strings,
like:

body CORAL_CALCIUM                /C.?o.?r.?a.?l.?C.?a.?l.?c.?i.?u.?m/i

> Remember to start threads about rules with [RD] in the subject. :oP

done. <g>




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to