> Yes, remove the outer parentheses.
>
> Here are the rules I am using:
> body AE_MEDS35 /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
> describe AE_MEDS35 obfuscated domain seen in spam
> score AE_MEDS35 3.00
>
> body AE_MEDS38
> /\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
> describe AE_MEDS38 rule to catch next wave of obfuscated domains
> score AE_MEDS38 1.0
>
> body AE_MEDS39
> /\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> describe AE_MEDS39 rule to catch still more spam obfuscation
> score AE_MEDS39 4.0
>
> AE_MEDS38 finds domains with spaces in them, and AE_MEDS39 finds domains
> with dots and spaces. You might want to bump up the score on AE_MEDS38,
> but I haven't had a false negative that would have benefited from it in
> a while, so I haven't bothered.
>
>
>
Very good!
Thanks a lot!
Regards and good week-end!
---
Sim
