On Thu, 2009-07-16 at 09:11 -0400, Dan Schaefer wrote:
> > The rules should also proactively cover (dot) and {dot} as well as [dot]

and <dot>, and {dot>, and /dot/, and ...

That's why I like using [[:punct:]], which includes  ! ' # S % & ' ( ) *
+ , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~

I've simplified my rule a bit and think this will catch all of the
possible variants, until they replace "dot" with something else...

body    __MED_OB        
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body    __MED_NOT_OB    /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org)\b/i
meta    AE_MED44        (__MED_OB && ! __MED_NOT_OB)
describe        AE_MED44        Shorter rule to catch spam obfuscation
score   AE_MED44        2.0

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to