I've been getting hit with a lot of german spam that has two exact words, and then .de urls. This rule handles them well.
rawbody __XM_Pash01 /^(?:Lese\s*selbst|Full\s*Article):$/i
rawbody __XM_Pash02 m{^http://[^/\n]+\.de/(?>.*)$}i
rawbody __XM_Pash03
m{(?!^(?:http://[^/\n]+\.de/(?>.*)|(?:Lese\s*selbst|Full\s*Article):|\s+)$)^(?>.+)$}i
meta XMGerman_02 (__XM_Pash01 && __XM_Pash02 && !__XM_Pash03)
describe XMGerman_02 vintage german spam
score XMGerman_02 6.0
On Mon, May 16, 2005 at 12:21:13PM -0400, Bowie Bailey wrote:
> This is a ruleset I created based on information from the Internet Storm
> Center (isc.sans.org).
>
> I scored it at 4 points. Feel free to raise or lower to your liking.
>
> Bowie
>
--
______________________________________________________________________
what's with today, today?
Email: [EMAIL PROTECTED]
PGP: http://rocky.mindphone.org/rocky_mindphone.org.gpg
signature.asc
Description: Digital signature
