On Thu, 2009-07-16 at 09:11 -0400, Dan Schaefer wrote: > > The rules should also proactively cover (dot) and {dot} as well as [dot]
and <dot>, and {dot>, and /dot/, and ... That's why I like using [[:punct:]], which includes ! ' # S % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~ I've simplified my rule a bit and think this will catch all of the possible variants, until they replace "dot" with something else... body __MED_OB /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_NOT_OB /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org)\b/i meta AE_MED44 (__MED_OB && ! __MED_NOT_OB) describe AE_MED44 Shorter rule to catch spam obfuscation score AE_MED44 2.0 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
signature.asc
Description: This is a digitally signed message part