On Mon, 05 Feb 2007, Bowie Bailey wrote:
> > > body Test_01 /remove \"\*\"/i | /remove \"\%\"/i | /remove \"\!\"/i
> > > score Test_01 4.0 describe Test_01 Test remove asterisk for URL
> > > spams
>
> How about this? (untested)
>
> body Test_01 /remove \"[*%!]\"/i
Since Sunday after two new obfuscation chars and
two new subdomains in the same mails I use
(because I hope it to be more specific):
[ For Beginners: '\W' is a non-word-character, '\S' is 'not space'
and never use '.*'! Instead use a fixed maximum lenght '.{m,M}'
where 'm' is minimum and 'M' is maximum of length ]
# Obfuscation-nonword-char instead of dot
body __MEDOBFU1A /http:\/\S{1,25}\Wcom/i
body __MEDOBFU1B /replace "?\W.{1,30}(?:with|by)\s"?\./i
# Obfuscation-nonword-char inserted
body __MEDOBFU2A /http:\/\/\S{1,30}(?:\W\S{0,10}\.com|\.\Wcom)/i
body __MEDOBFU2B /remove "?\W/i
# both in one rule
meta __MEDOBFU1 ( __MEDOBFU1A && __MEDOBFU1B )
meta __MEDOBFU2 ( __MEDOBFU2A && __MEDOBFU2B )
meta MEDOBFU ( __MEDOBFU1 || __MEDOBFU2 )
score MEDOBFU 3
describe MEDOBFU Pharma spam with illegal character in Hostname of URL
Using \W may be a risk because the class contains too
many characters, but so far I did not hear of FPs.
The only trouble with it is, because I write this to the list,
tomorrow they will sprout a lot of new different adapted versions
of the same basic idea all over the place.
So what really will be needed, would be a combination of
Rules for 'illegal hostname in url' and something like
the URIBLS to catch 'sytactically legal looking' obfuscations.
(if such a thing is feasible)
Stucki
--
Christoph von Stuckrad * * |nickname |<[EMAIL PROTECTED]> \
Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-5 57 78|
Mathematik & Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 66 00|
Arnimallee 6 / 14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75 454/
