On Sat, Sep 26, 2009 at 12:25:32PM +0200, Karsten Bräckelmann wrote: > On Fri, 2009-09-25 at 12:10 -0500, Rich Graves wrote: > > The bigger picture: I'm working on some ISP/.edu phishing rules > > inspired by the old 419 rules... lots of words and short phrases > > indicating an attempt to get our account information (either through > > email or free web form sites), and a meta rule that fires only if > > there are several hits. Due to the risk of false positives on long > > messages, I'd only like to apply the rules to messages with short > > bodies. > > This is a plain RE rule I once wrote, to limit some rule to really short > messages only. > > rawbody __KB_RAWBODY_200 /^.{0,200}$/s > > Yeah, rawbody, but properly anchored and limited, no backtracking, just > consumption, and will stop early once your threshold is reached. Should > be quite cheap indeed. HTH
I've used lookahead for that, since then all the matching text isn't saved in SA internals.. /^(?=.{0,200}$)/s