twofers wrote: (in html which might look strange once its replied to)
I'm writing rules for header Subject and have a rule question.
I want a rule that would hit on specific words, no matter what order
they were. Would a rule written like this rule below accomplish that?
Is the " * " redundant and not needed?
Would a rule written like this be more efficient and faster than a
rule where say, each of these words was used in a separate individual
rule?
header LR Subject =~
/ [independent]*[opportunity]*[luxury]*[cowhides]*[win]*[money]*[rep]*[save]*/i
Thanks.
and if someone sends you an email about 'windows' will you block it?
and what about mispellings of 1dependent? 0pp0rtun1th?
content filtering type rules are very prone to fp's and mostly useless
of you insist, something like this would block (way too much) but do
what you are looking to do:
header LR Subject =~
/\b(independent|opportunity|luxary|cowhides|win|money|rep|save)\b/i
(at least, with \b you will only block subjects that don't accidentally
contain rep or win in the middle of the word)
Still, put a very low score on it, maybe tie it using meta rules to
bayes, razor or dcc hits.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
