On Mon, 13 Jul 2009, John Hardin wrote:
Why be restrictive on the domain name?
If a conservative spec is sufficient to match the spam, then we're
helping avoid false positives.... I'd rather tweak the rule to
catch the new tricks of the spammer than overgeneralize. :)
The + signs are a little risky, it might be better to use {1,3} instead.
(nod) Though without the '/m' option it would be limited to the same line.
My thinking is that a spammer would quickly figure out to add more
obfuscation, and there is little risk of a false positive occuring with
that kind of broad spacing and an xxx99 domain name....
And the older rule allowed for spaces in the TLD. I don't recall if
anybody provided more than one spample with that though.
I've not seen it too much, though it doesn't hurt to keep it in the
rule. I actually added it back into my live rule after I posted....
To answer your next post, I don't use '\b' because the next 'trick' coming
will likely be something looking like Xwww herenn comX... :)
- C