I have been experimenting with rules that will catch periods and pipes obfuscating text. Attached is my punctuation.cf file. It caught your example.
* 0.5 -- BODY: MY: Word obfu by periods (a.bcd)
* 0.5 -- BODY: MY: Word obfu by periods (abcde.fghij)
* 0.5 -- BODY: MY: Word obfu by periods (abc.d)
* 0.5 -- BODY: MY: Word obfu by periods (abc.defgh)
* 0.5 -- BODY: MY: Word obfu by periods (abc.def)
* 0.5 -- BODY: MY: Word obfu by periods (ab.cdefgh)
* 0.5 -- BODY: MY: Word obfu by periods (abcd.e)
* 0.5 -- BODY: MY: Word obfu by periods (ab.cdefghi)
* 0.5 -- BODY: MY: Word obfu by periods (a.bcde)
* 0.5 -- BODY: MY: Word obfu by periods (ab.cd)
* 0.5 -- BODY: MY: Word obfu by periods (ab.cde)
* 0.5 -- BODY: MY: Word obfu by periods (a.bcdefg)
The basic test looks like:
rawbody MY_RBDY_PDS_1P3 / [a-z]{1}\.[a-z]{3}[ \!\?]/I
Right now I am creating the iterations. I am considering moving to
something like:
rawbody MY_RBDY_PDS_1P / [a-z]{1}\.[a-z]{3,8}[ \!\?]/I
But for now it is what it is.
You will need to score as you see fit. I am scoring low and looking for
FPs. Have not found any yet but it does not mean that they will not crop up
so no guarantees!
--Larry
-----Original Message-----
From: erin o'brien [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 18, 2003 7:04 PM
To: [EMAIL PROTECTED]
Subject: [SA Hits: 14.10] [SAtalk] Spam Message not nearly picked up by
rules
I am not a programmer, so I could not think of any "rule" to catch this one.
I only hope that someone here can. I have gotten quite a few of these (at
least two per day), and it's always from my forged email address from
someone named wilfred or arthur.
Thanks.
--big snip to get rid of HTML --
punctuation.cf
Description: Binary data
