On Mon, 2009-06-22 at 14:37 +0200, Paweł Tęcza wrote:
> McDonald, Dan pisze:
>
> > I'm considering a low-scoring rule like:
> > body AE_MEDS37
> > /\(\s?w{2,4}\s[:alpha:]{4}\d{1,4}\s(?:net|com|org)\s?\)/
> > describe AE_MEDS37 rule to catch the next wave of spaced domains
> > score AE_MEDS37 1.0
oops. Doesn't compile. should be:
body AE_MEDS37 /\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
>
> Hi Dan,
>
> I have score 4.0 for that kind of spam, but I can see that even such
> high score is not sufficient sometimes. My SA tags that messages as spam
> only if they also pass RCVD_IN_BL_SPAMCOP_NET and RCVD_IN_SORBS_DUL tests.
The idea is to at least tag them without causing too many false
positives. The messages show up in sanesecurity clamav sigs before too
long, but it's nice to at least give them a little score boost. Most
get knocked out by RBLs...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
