i attach a set of rules i have been using and improving for a while that
handle stock spam, especially the || stuff.
header LOCAL_STOCK_SUBJ Subject =~ /st0ck/i
describe LOCAL_STOCK_SUBJ disguised term stock found
rawbody LOCAL_STOCK_BODY /\bst0cks{0,1}\b/i
describe LOCAL_STOCK_BODY disguised term stock found
header LOCAL_STOCK2_SUBJ Subject =~ /\binvest0rs{0,1}\b/i
describe LOCAL_STOCK2_SUBJ disguised term investor found
rawbody LOCAL_STOCK2_BODY /\binvest0rs{0,1}\b/i
describe LOCAL_STOCK2_BODY disguised term investor found
rawbody LOCAL_STOCK3_BODY
/(?:-stockmailer|-stockmaker|-stockpromoter|-stocksender|-stocksolution)(2005)[EMAIL
PROTECTED]/
describe LOCAL_STOCK3_BODY contanins suspicious "[EMAIL PROTECTED]" address
body LOCAL_STOCK4_BODY /Current Price: \$O\.\d\d/
describe LOCAL_STOCK4_BODY contanins O instead of 0 in a price
rawbody __LOCAL_OBFU18 /\bmai\|/i
rawbody __LOCAL_OBFU1 /\b(un)?avai(?:lab\|e|\|ab(?:l|\|)e)\b/i
rawbody __LOCAL_OBFU2 /\b(?:c|sh|w)ou\|d\b/i
rawbody __LOCAL_OBFU3 /\bdeve\|op(?:ed|er(s)?|ing|ment(s)?|s)?\b/i
rawbody __LOCAL_OBFU4 /\bd(?:0|o)\|\|ar(s)?\b/i
rawbody __LOCAL_OBFU5
/\b(?:ex|in)c\|u(?:de(?:d|s)?|ding|sive(ly)?)\b/i
rawbody __LOCAL_OBFU6 /\bhigh\|ight\b/i
rawbody __LOCAL_OBFU7 /\|imit(?:ation(s)?|ed|s)?\b/i
rawbody __LOCAL_OBFU8 /\bmateria\|((?:l|\|)y)?\b/i
rawbody __LOCAL_OBFU9 /\b(?:Inter|mu(?:l|\|)ti(-)?)?nationa\|/i
rawbody __LOCAL_OBFU10 /\bon\|ine\b/i
rawbody __LOCAL_OBFU11 /\bp\|ease\b/i
rawbody __LOCAL_OBFU12 /\bpub\|ic(ation(s)?)?\b/i
rawbody __LOCAL_OBFU13 /\bpub\|ish(e(?:d|r(s)?))?\b/i
rawbody __LOCAL_OBFU14 /\b(un)?(?:reliab\|e|re\|iab(?:l|\|)e)\b/i
rawbody __LOCAL_OBFU15 /\bresu\|t(?:ed|ing|s)?\b/i
rawbody __LOCAL_OBFU16 /\bshareho\|der(s)?\b/i
rawbody __LOCAL_OBFU17 /\btechno\|og(?:ies|y)\b/i
rawbody __LOCAL_OBFU19 /\bpharmaceutica\|/i
meta LOCAL_OBFUSCATED ( __LOCAL_OBFU1 + __LOCAL_OBFU2 + __LOCAL_OBFU3
+ __LOCAL_OBFU4 + __LOCAL_OBFU5 + __LOCAL_OBFU6 + __LOCAL_OBFU7 + __LOCAL_OBFU8
+ __LOCAL_OBFU9 + __LOCAL_OBFU10 + __LOCAL_OBFU11 + __LOCAL_OBFU12 +
__LOCAL_OBFU13 + __LOCAL_OBFU14 + __LOCAL_OBFU15 + __LOCAL_OBFU16 +
__LOCAL_OBFU17 + __LOCAL_OBFU18 + __LOCAL_OBFU19 + LOCAL_OBFU_MILLION +
LOCAL_DOLLARS_BODY + LOCAL_DOLLARS_SUBJ + LOCAL_STOCK_BODY + LOCAL_STOCK_SUBJ +
LOCAL_STOCK2_BODY + LOCAL_STOCK2_SUBJ ) > 1
describe LOCAL_OBFUSCATED two obfuscated words found
meta LOCAL_OBFUSCATEDM ( __LOCAL_OBFU1 + __LOCAL_OBFU2 + __LOCAL_OBFU3
+ __LOCAL_OBFU4 + __LOCAL_OBFU5 + __LOCAL_OBFU6 + __LOCAL_OBFU7 + __LOCAL_OBFU8
+ __LOCAL_OBFU9 + __LOCAL_OBFU10 + __LOCAL_OBFU11 + __LOCAL_OBFU12 +
__LOCAL_OBFU13 + __LOCAL_OBFU14 + __LOCAL_OBFU15 + __LOCAL_OBFU16 +
__LOCAL_OBFU17 + __LOCAL_OBFU18 + __LOCAL_OBFU19 + LOCAL_OBFU_MILLION +
LOCAL_DOLLARS_BODY + LOCAL_DOLLARS_SUBJ + LOCAL_STOCK_BODY + LOCAL_STOCK_SUBJ +
LOCAL_STOCK2_BODY + LOCAL_STOCK2_SUBJ ) > 2
describe LOCAL_OBFUSCATEDM more than two obfuscated words found
# score LOCAL_OBFUSCATEDM 2
meta LOCAL_OBFUSCATED_XL ( __LOCAL_OBFU1 + __LOCAL_OBFU2 +
__LOCAL_OBFU3 + __LOCAL_OBFU4 + __LOCAL_OBFU5 + __LOCAL_OBFU6 + __LOCAL_OBFU7 +
__LOCAL_OBFU8 + __LOCAL_OBFU9 + __LOCAL_OBFU10 + __LOCAL_OBFU11 +
__LOCAL_OBFU12 + __LOCAL_OBFU13 + __LOCAL_OBFU14 + __LOCAL_OBFU15 +
__LOCAL_OBFU16 + __LOCAL_OBFU17 + __LOCAL_OBFU18 + __LOCAL_OBFU19 +
LOCAL_OBFU_MILLION + LOCAL_DOLLARS_BODY + LOCAL_DOLLARS_SUBJ + LOCAL_STOCK_BODY
+ LOCAL_STOCK_SUBJ + LOCAL_STOCK2_BODY + LOCAL_STOCK2_SUBJ ) > 9
describe LOCAL_OBFUSCATED_XL lots of obfuscated words found
score LOCAL_OBFUSCATED_XL 5
rawbody LOCAL_OBFU_MILLION /\bmi\|\|i(?:0|o)n(s)?\b/i
describe LOCAL_OBFU_MILLION contains obfuscated term "million(s)"
