I got one today that wasn't caught by your rule it had 22232 for the
domain name inside of www and net and used bracket dot bracket for the
separator.
Mike
On Jul 16, 2009, at 6:23 PM, McDonald, Dan wrote:
On Fri, 2009-07-17 at 00:04 +0200, Michelle Konzack wrote:
Good Evening,
Am 2009-07-16 23:42:44, schrieb Karsten Bräckelmann:
On Fri, 2009-07-17 at 00:37 +0300, Ibrahim Harrani wrote:
Is this rule available via updates.spamassassin.org sa-update
channel?
Nope. It's living in a sandbox.
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
And it does not work... :-(
Gotten today more then 2800 of this ${STRONG_WORD_HERE}.
Have you tried my rule? I've caught 401 of them since I updated it
this
morning. It's also got a little surprise for the next logical
variant...
body __MED_OB /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:]
[:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}
(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:]
[:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_NOT_OB /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|
org)\b/i
meta AE_MED44 (__MED_OB && ! __MED_NOT_OB)
describe AE_MED44 Shorter rule to catch spam obfuscation
score AE_MED44 2.0
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
