On Thursday, February 10th, 2022 at 16:33, Kris Deugau <kdeu...@vianet.ca> wrote:
> (Please keep mail on-list) Oops, replied too quick without checking this. Sorry. > > Out of curiosity, I've tested it with a replace_tag rule (/<P><O><S><T>/) > > without luck. Shouldn't those UTF8 range be added to the ReplaceTags plugin? > > Probably. However, the rules as above and the other similar ones I've > set up locally are detecting the abstracted use of certain subsets of > these variant characters seen in local FNs (often different variant sets > for different cases, FN corpus depending), not variations of a > particular character as used for ReplaceTags. > To put it another way, I explicitly do not care about what these > characters are spelling out, just the fact that they're present at all > in certain places where I consider them to be inherently invalid. I > also don't want to match the ASCII version - ReplaceTags substitutions > usually include the base ASCII character, so your final rule has to have > some exclusion component on its own, eg: > /(?!Post)<P><O><S><T>/ > or > /(?!P)<P><(?!o)<O>(?!s)<S>(?!t)<T>/ > etc. > TBH for specific phishing cases like yours, I would tend to just > copy-paste the spoofed From: name into a rule directly - text editor > depending, this should work fine. Perl will happily match the literal > pasted character or the hex sequence equally well unless your editor > mangles the character. > -kgd I think both are valid. Your way to counting the number of those special characters is great. But I also want to be able to block some specific strings like the usual suspects (paypal, dhl, volksbank, post, ...) where a single unexpected char is enough. I've been using a meta for this, with the same idea that you just gave. I guess a few people created their own ReplaceTags with for instance their own company name. Including letter in \xd0[\xa0-\xbf] in ReplaceTags would be good I think.
signature.asc
Description: OpenPGP digital signature
