On 09/26/2009 06:25 AM, Karsten Bräckelmann wrote:
On Fri, 2009-09-25 at 12:10 -0500, Rich Graves wrote:
The bigger picture: I'm working on some ISP/.edu phishing rules
inspired by the old 419 rules... lots of words and short phrases
indicating an attempt to get our account information (either through
email or free web form sites), and a meta rule that fires only if
there are several hits. Due to the risk of false positives on long
messages, I'd only like to apply the rules to messages with short
bodies.
This is a plain RE rule I once wrote, to limit some rule to really short
messages only.
rawbody __KB_RAWBODY_200 /^.{0,200}$/s
Yeah, rawbody, but properly anchored and limited, no backtracking, just
consumption, and will stop early once your threshold is reached. Should
be quite cheap indeed. HTH
I suspect meta limiting Adam's IXHASH rules with a minimum size subrule
would eliminate many of the IXHASH false positives. I was using his
IXHASH plugin for a while, but stopped because I noticed too many FP's
on short e-mails. I wonder if his IXHASH plugin is suitable to put into
the sandbox for actual statistical testing.
Warren
