McDonald, Dan wrote:
Yes, remove the outer parentheses.
Here are the rules I am using:
body AE_MEDS35 /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00
body AE_MEDS38
/\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS38 rule to catch next wave of obfuscated domains
score AE_MEDS38 1.0
body AE_MEDS39
/\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe AE_MEDS39 rule to catch still more spam obfuscation
score AE_MEDS39 4.0
Since we're sharing rules for this recent Spam outbreak, here is my rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|com)/
score DRUG_SITE 0.5
describe DRUG_SITE Test to find spam drug sites in recent emails
Notice my score is low, because I'm not sure it's 100% accurate.
--
Dan Schaefer
Application Developer
Performance Administration Corp.
