Taking advice from the group, I've switched these rules to using chr set's
[]
body  __FVGT_b_OBFU_J  /j[bcfgw]/i
body  __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
body  __FVGT_b_OBFU_Q0 /[jkpqtvwz]q/i
body  __FVGT_b_OBFU_Q1 /q[afhjkmnsy]/i
body  __FVGT_b_OBFU_V  /[fgqw]v/i
body  __FVGT_b_OBFU_X  /[cgjkqsvz]x/i
body  __FVGT_b_OBFU_Z  /[fjkpqx]z/i

Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400
mailto:[EMAIL PROTECTED]



Chris Santerre wrote:
>> Update of OBFU chr's rule.
>
> I think we can call them Fred's OBFU rules now. You did much more
> work on them then I did. Heck, you looked at a bunch of dictionaries.
> I can't even spell dictionary! :-)
>
>
>>
>> rawbody  __FVGT_rb_ATTACHMENT /Content-Disposition: attachment/i
>> body  __FVGT_b_OBFU_J  /j(b|c|f|g|w)/i
>> body  __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
>> body  __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i
>> body  __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i
>> body  __FVGT_b_OBFU_V  /(f|g|q|w)v/i
>> body  __FVGT_b_OBFU_X  /(c|g|j|k|q|s|v|z)x/i
>> body  __FVGT_b_OBFU_Z  /(f|j|k|p|q|x)z/i
>> meta  FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER +
>> __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V +
>> __FVGT_b_OBFU_X +
>> __FVGT_b_OBFU_Z && !__FVGT_rb_ATTACHMENT) > 1)
>> describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter
>> combinations
>> score  FVGT_m_MULTI_ODD 1.4
>>
>>
>
> So So So very nice. Have you run this past an email written in
> MS.Word? I've seen some FP's on mine. I'm thinking you might need to
> add one more meta that checks to make sure it wasn't written in Word.
> I have a rule I can send you somewhere. You don't want to check the
> obvious stuff for word docs, as spammers can fake that.
>
> I'll test against this tomorrow and see.
>
>
>> This one is less likely to cause false positves when a
>> message contains a
>> double-forwarded attachment.
>> That's the only issues I've seen here.
>>
>
> Nice thinking!
>
>
>> Is this rule syntax legal?  I didn't know I could combine an
>> additive rule
>> with a ! and have it all work ;)
>>
>
> Define "legal" ;)      Looks OK to me!
>
> --Chirs Santerre



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to