Here is the full set of his stuff I am running. So far it has hit no ham.
Yep, that's the set.. it's pretty decent stuff. The only limitation I see is it won't catch r0lex, rol3x, or roIex, just rolex. Hence I quickly hacked one up that uses the same character-substitutions and gap-clauses I use in antidrug. Thus far I've not seen obfu attempts on the scale of drug spam, but I've seen a lot of simple obfuscations like the ones above..
You could simplify my rule a bit if it bothers you by shortening the gap clause:
body ROLEX_BODY /(?:\b|\s)[_\W]{0,3}r[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}[l!|1][_\W]{0,3}[e3\xE8-\xEB][_\W]{0,3}x[_\W]{0,3}(?:\b|\s)/i
becomes
body ROLEX_BODY /(?:\b|\s).?r.?[o0\xF2-\xF6].?[l!|1].?[e3\xE8-\xEB].?x.?(?:\b|\s)/i
But I'm really more of a fan of [_\W]{0,3} over .? when it comes to gapping, fewer potential FPs. I've also definitely found the leading/trailing gap, and the (?:\b|\s) at the beginning and end help a lot. Particularly for words like __R_O_L_E_X__ which won't hit the standard .?'s in the middle with \b's on each end. (_ is a word-character, so X_ doesn't match \b after the X)
