Jared Hall wrote:
> Some quick eCard rules:
>
> header JARED_ECARD Subject =~ /You\'ve received
> (a|an) (greeting|postcard|
> ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague|
> family member|friend|mate|neighbor|neighbour|partner|school friend|school
> mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i
>
A good start, but that rule could be simplified quite a lot.
For starters, don't do (a|an).. it's much faster to do an? instead.
Also, in this case the \!? at the end is pointless. Regexes match
substrings, so you could just leave that whole part off with zero change
in what will match.
In general, for regexes that are used to detect matches only (ie: SA
rules), if you end in . + * or ? you're doing something wasteful and
pointless and should re-examine the regex. Unless you add a $ at the
end, you don't have to match the whole text, so don't waste time trying
to match optional characters at the end.
Here's a variant I use..
header L_S_SUBJPOSTCARD Subject =~/\bYou've received an?
(?:greeting)?(?:e|post)?card from a .{4,20}!/
describe L_S_SUBJPOSTCARD greeting card virus
Notes:
mine won't catch the "You've received a greeting from a" variant yours picks
up, but I've never seen that one myself. Every one I've seen of this type as
"card" in it somewhere.
Mine's also a bit less specific, as it just uses a .{4,20} where yours bothers
to list out all the possible texts the virus uses. I feel it's unlikely to
match anything nonspam, but greatly reduces the resource usage of the rule.
Mine requires the exclamation point at the end, where yours makes it optional
(and should just leave it off as above).
