Taking advice from the group, I've switched these rules to using chr set's [] body __FVGT_b_OBFU_J /j[bcfgw]/i body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i body __FVGT_b_OBFU_Q0 /[jkpqtvwz]q/i body __FVGT_b_OBFU_Q1 /q[afhjkmnsy]/i body __FVGT_b_OBFU_V /[fgqw]v/i body __FVGT_b_OBFU_X /[cgjkqsvz]x/i body __FVGT_b_OBFU_Z /[fjkpqx]z/i
Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 mailto:[EMAIL PROTECTED] Chris Santerre wrote: >> Update of OBFU chr's rule. > > I think we can call them Fred's OBFU rules now. You did much more > work on them then I did. Heck, you looked at a bunch of dictionaries. > I can't even spell dictionary! :-) > > >> >> rawbody __FVGT_rb_ATTACHMENT /Content-Disposition: attachment/i >> body __FVGT_b_OBFU_J /j(b|c|f|g|w)/i >> body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i >> body __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i >> body __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i >> body __FVGT_b_OBFU_V /(f|g|q|w)v/i >> body __FVGT_b_OBFU_X /(c|g|j|k|q|s|v|z)x/i >> body __FVGT_b_OBFU_Z /(f|j|k|p|q|x)z/i >> meta FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + >> __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + >> __FVGT_b_OBFU_X + >> __FVGT_b_OBFU_Z && !__FVGT_rb_ATTACHMENT) > 1) >> describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter >> combinations >> score FVGT_m_MULTI_ODD 1.4 >> >> > > So So So very nice. Have you run this past an email written in > MS.Word? I've seen some FP's on mine. I'm thinking you might need to > add one more meta that checks to make sure it wasn't written in Word. > I have a rule I can send you somewhere. You don't want to check the > obvious stuff for word docs, as spammers can fake that. > > I'll test against this tomorrow and see. > > >> This one is less likely to cause false positves when a >> message contains a >> double-forwarded attachment. >> That's the only issues I've seen here. >> > > Nice thinking! > > >> Is this rule syntax legal? I didn't know I could combine an >> additive rule >> with a ! and have it all work ;) >> > > Define "legal" ;) Looks OK to me! > > --Chirs Santerre ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk