On Fri, 10 Jul 2009, McDonald, Dan wrote:
They have. They are using underscores, which are a [:punct:], but don't form a
\b break.
New rules:
body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_BOTH
/\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_END_SP
/[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_PUNCT
/[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_DOT
/[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_BOTH
/[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH )
&& (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) && !
(__MED_BEG_DOT && __MED_END_DOT )
describe AE_MED42 rule to catch still more spam obfuscation
score AE_MED42 4.0
I think that can be simplified somewhat by reversing the obfuscation
matches:
body URI_OBFU_WWW
/\bw{2,3}[^[:alnum:]]{1,3}\w{1,20}(?:(?!\.[[:alnum:]])[^[:alnum:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe URI_OBFU_WWW Obfuscated URI
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
-----------------------------------------------------------------------
4 days until the 64th anniversary of the dawn of the Atomic Age
