Ilan, I believe this is the *exact* same dude/dudette that I was
referring to with the topic 'Rule Question'.
Mike
Ilan Aisic wrote:
Hi again,
I keep getting these kind of pharm. spam where a list of drugs and their
prices is arranged in an html table.
I'm using all the SARE rules including the OBFU (which I've added thanks
to recommendations in this thread.
However, only the SARE_HTML_MANY_BR05 is fired ( Tooo many <br>'s!).
Indeed the way this is arranged is that this is in a cell on the first
column:
<B>Vi</B><BR>
The matching cell of the next table column is:
<B>ag</B><BR>
The next is:
<B>ra</B>
And in between there are all the other pairs of letters for the other
drugs and the HTML command: <DIV style="FLOAT: left;">
Obviously, the OBFU rule set is not that sophisticated.
On top of that, the spammer (someone said it's Leo Kuvayev) keeps
changing the URL it points to. I've recieved it with
inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com
(scored 6.4) , than with univnews(dot)com (scored 7.1) and the last one
was sinceschool(dot)com (scored 7.8)
So, the good news is that in spite of the spammer's effort, the score
gets higher and higher (due to increased effecency of the network
checks) but on my system it should reach 12 to be totally trashed.
For scores > 5 it only marks the subject as potential spam.
--
Ilan Aisic
Registered Linux User 8124 http://counter.li.org
