Has anybody come up with a rule for these yet? I tried the following:
body ORNL_B0RKEN1 /^\d{3,5}\n{1,3}$/s
describe ORNL_B0RKEN1 B0rken spamware, message just contains a short
number
score ORNL_B0RKEN1 1
This matches the spam message, but it also matches messages where the
number is followed by a blank line and more text, which is a false
positive. If I replace "body" with "full", then it doesn't match the
spam message. I have also tried the following variations:
- using /s, /m, or neither switch
- using the ^ and $ anchors or the \A and \Z anchors
- using \n, \s, or neither (i.e. the pattern /^\d{3,5}$/)
In all cases I got the same results. What am I missing?
Thanks, Larry
> -----Original Message-----
> From: Nigel Frankcom [mailto:[EMAIL PROTECTED]
> Posted At: Monday, December 04, 2006 8:02 PM
> Posted To: sa-users
> Conversation: spam
> Subject: Re: spam
>
> On Mon, 04 Dec 2006 16:35:33 -0800, Evan Platt
> <[EMAIL PROTECTED]> wrote:
>
> >At 04:24 PM 12/4/2006, you wrote:
> >>On Mon, 4 Dec 2006 16:11:28 -0800 (PST), san <[EMAIL PROTECTED]>
> >>wrote:
> >>
> >> >
> >> >Hi,
> >> >
> >> >Am recieving a spam mails which is just having number on the body
just
> like
> >> >1265 or 2196...
> >> >
> >> >any thoughts how to stop this kind of spam..
> >> >
> >> >thanks
> >> >san
> >>
> >>Ditto....
> >>
> >>How in the hell does one write a rule for this sh*?
> >
> >Maybe a rule if the message body is less than <X> characters?
> >
> >I mean unless you expect lots of legitimate mail that says
> >"Hello."
> >
>
> Good point; thanks.
>
> Though I think I'll do one that picks only numerals. That said I'm
> pretty sure there's a sare rule that covers this sort of thing....
> though I could easily be wrong; it wouldn't be the 1st time :-D
>
> KR
>
> Nigel
