On Mon, 13 Jul 2009, Charles Gregory wrote:

On Mon, 13 Jul 2009, John Hardin wrote:
 Why be restrictive on the domain name?

If a conservative spec is sufficient to match the spam, then we're
helping avoid false positives.... I'd rather tweak the rule to
catch the new tricks of the spammer than overgeneralize. :)

Fair enough.

The + signs are a little risky, it might be better to use {1,3} instead.

(nod) Though without the '/m' option it would be limited to the same line.

body rules work on paragraphs, but you are right, the badness has an upper limit.

My thinking is that a spammer would quickly figure out to add more obfuscation, and there is little risk of a false positive occuring with that kind of broad spacing and an xxx99 domain name....

Again, fair enough. But there's a limit to how complex the obfuscation can be made, though, because there's a point where people won't deobfuscate the URI to visit it.

To answer your next post, I don't use '\b' because the next 'trick' coming will likely be something looking like Xwww herenn comX... :)

At that point it can be dealt with. Until then, using \b is an important way to avoid FPs.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Ignorance doesn't make stuff not exist.               -- Bucky Katt
-----------------------------------------------------------------------
 3 days until the 64th anniversary of the dawn of the Atomic Age

Reply via email to