On Thu, 2009-07-16 at 09:11 -0400, Dan Schaefer wrote:
> > The rules should also proactively cover (dot) and {dot} as well as [dot]
and <dot>, and {dot>, and /dot/, and ...
That's why I like using [[:punct:]], which includes ! ' # S % & ' ( ) *
+ , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~
I've simplified my rule a bit and think this will catch all of the
possible variants, until they replace "dot" with something else...
body __MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_NOT_OB /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org)\b/i
meta AE_MED44 (__MED_OB && ! __MED_NOT_OB)
describe AE_MED44 Shorter rule to catch spam obfuscation
score AE_MED44 2.0
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
