My current spam problem consists almost entirely of spam advertising watches and various pain relief products. I have a reasonable variety of rulesets installed including the following (it's not definitive as I don't have access to the server right now): SARE General Subject SARE HEADER SARE html0 SARE OEM SARE Random SARE Ratware Detection SARE Specific SARE Spoof EvilNumber
Can anyone suggest what might catch these watch and pain relief spams before I start writing some of my own?
What version of SA do you use? If 2.6x, look at antidrug for the pain relief side.
You could do an antidrug-eque version of a rolex rule...
Something like this:
body __ROLEX_PLAIN /rolex/i
body ROLEX_BODY /(?:\b|\s)[_\W]{0,3}r[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}[l!|1][_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}x[_\W]{0,3}(?:\b|\s)/i
describe ROLEX_BODY refers to a rolex in body or subject
score ROLEX_BODY 0.5
meta ROLEX_OBFU (ROLEX_BODY && !__ROLEX_PLAIN) describe ROLEX_OBFU obfuscated rolex reference score ROLEX_OBFU 2.0
(note: OBFU fires in cascade with BODY, so an obfuscated rolex reference will hit for 2.5)
I've seen another variant about by Matthew Newton that makes a bunch of rules for both subject and body separately. I generally don't do this as the body rules will match the subject line, so there's really no need, other than as a score amplifier. I usually only make subject rules when a body rule isn't appropriate. He's also done separate regular and gappy-text rules, but doesn't pick up on character-sub obfuscations.. It is a decent set however..
One good rule I've seen that Matthew Newton wrote is this one:
rawbody UOLCC_WATCH_BODY /^(Do you )?[Ww]ant (a )?(cheap )?([Ww]ristw|[Ww])atch\?\s*$/m
describe UOLCC_WATCH_BODY Body asks if you want a watch
score UOLCC_WATCH_BODY 1.5
Very targeted, but effective with low risk of FPs.
