On Fri, 2009-09-25 at 12:10 -0500, Rich Graves wrote:
> The bigger picture: I'm working on some ISP/.edu phishing rules
> inspired by the old 419 rules... lots of words and short phrases
> indicating an attempt to get our account information (either through
> email or free web form sites), and a meta rule that fires only if
> there are several hits. Due to the risk of false positives on long
> messages, I'd only like to apply the rules to messages with short
> bodies.
This is a plain RE rule I once wrote, to limit some rule to really short
messages only.
rawbody __KB_RAWBODY_200 /^.{0,200}$/s
Yeah, rawbody, but properly anchored and limited, no backtracking, just
consumption, and will stop early once your threshold is reached. Should
be quite cheap indeed. HTH
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
