From: John Hardin [mailto:jhar...@impsec.org]
>On Sun, 19 Jul 2009, Mike Wallace wrote:
>
>> I got one today that wasn't caught by your rule
>
>Whose, mine or Dan's?
>
>> it had 22232 for the domain name inside of www and net and used bracket
>> dot bracket for the separator.
I just got a couple of those at home. I think a quick tweak will fix my rule:
body __MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{0,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_NOT_OB /\bw{2,3}\.[[:alpha:]]{0,6}\d{2,6}\.(?:com|net|org)\b/i
meta AE_MED45 (__MED_OB && ! __MED_NOT_OB)
describe AE_MED45 Shorter rule to catch spam obfuscation
score AE_MED45 4.0
--
Dan
