On Sat, Sep 26, 2009 at 12:25:32PM +0200, Karsten Bräckelmann wrote:
> On Fri, 2009-09-25 at 12:10 -0500, Rich Graves wrote:
> > The bigger picture: I'm working on some ISP/.edu phishing rules
> > inspired by the old 419 rules... lots of words and short phrases
> > indicating an attempt to get our account information (either through
> > email or free web form sites), and a meta rule that fires only if
> > there are several hits. Due to the risk of false positives on long
> > messages, I'd only like to apply the rules to messages with short
> > bodies. 
> 
> This is a plain RE rule I once wrote, to limit some rule to really short
> messages only.
> 
>   rawbody __KB_RAWBODY_200  /^.{0,200}$/s
> 
> Yeah, rawbody, but properly anchored and limited, no backtracking, just
> consumption, and will stop early once your threshold is reached. Should
> be quite cheap indeed. HTH

I've used lookahead for that, since then all the matching text isn't saved
in SA internals..

/^(?=.{0,200}$)/s

Reply via email to