On Mon, 13 Jul 2009, Charles Gregory wrote:
On Mon, 13 Jul 2009, John Hardin wrote:
Why be restrictive on the domain name?
If a conservative spec is sufficient to match the spam, then we're
helping avoid false positives.... I'd rather tweak the rule to
catch the new tricks of the spammer than overgeneralize. :)
Fair enough.
The + signs are a little risky, it might be better to use {1,3}
instead.
(nod) Though without the '/m' option it would be limited to the same
line.
body rules work on paragraphs, but you are right, the badness has an upper
limit.
My thinking is that a spammer would quickly figure out to add more
obfuscation, and there is little risk of a false positive occuring with
that kind of broad spacing and an xxx99 domain name....
Again, fair enough. But there's a limit to how complex the obfuscation can
be made, though, because there's a point where people won't deobfuscate
the URI to visit it.
To answer your next post, I don't use '\b' because the next 'trick'
coming will likely be something looking like Xwww herenn comX... :)
At that point it can be dealt with. Until then, using \b is an important
way to avoid FPs.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance doesn't make stuff not exist. -- Bucky Katt
-----------------------------------------------------------------------
3 days until the 64th anniversary of the dawn of the Atomic Age