Re: [NEW SPAM FLOOD] www.shopXX.net

Daniel J McDonald Thu, 23 Jul 2009 05:01:53 -0700

On Thu, 2009-07-23 at 07:34 +0100, rich...@buzzhost.co.uk wrote:
> It's catching on :-)


this new obfuscation is already caught by AE_MED45, but I can foresee a
variant that might not match...

How about:

body    __MED_OB        
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{0,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)[[:punct:]]?\b/i
body    __MED_NOT_OB    /\bw{2,3}\.[[:alpha:]]{0,6}\d{2,6}\.(?:com|net|org)\b/i
meta    AE_MED46        (__MED_OB && ! __MED_NOT_OB)
describe        AE_MED46        Shorter rule to catch spam obfuscation
score   AE_MED46        4.0

-- 
Dan McDonald, CCIE #2495, CISSP# 78281, CNX
www.austinenergy.com

Re: [NEW SPAM FLOOD] www.shopXX.net

Reply via email to