On 02/12/2014 10:06 PM, John Hardin wrote:
On Wed, 12 Feb 2014, Joe Quinn wrote:On 2/12/2014 3:15 PM, John Hardin wrote:On Wed, 12 Feb 2014, Joe Quinn wrote: > This pattern has been showing up in a good 80% of spam I have looked at > in the past month. > > Spammers take a few paragraphs out of a large body of text and put it at > the end of their email. My favorite is one that had the scene where > Daisy first meets Jay Gatsby. > > Sometimes they add some munging, or like in this example they insert > base64-encoded hashes. We have a rule for the plaintext hashes, but does > anyone on the list have a good way of detecting this? Bayes.Any ideas outside of Bayes? We don't currently have it configured, and the setup involved is more than we would like to do for just one rule, if at all possible.Bayes is very useful, you should reconsider. Perhaps something like this: body __HEXHASHWORD /\b[0-9a-f]{30,}\s[a-z]{1,10}\b/ tflags __HEXHASHWORD multiple maxhits=5 meta HEXHASH_WORD __HEXHASHWORD > 4 describe HEXHASH_WORD Hexadecimal hash followed by a word Added to my sandbox, just in case.
John,
Isn't {30,} (without a limit) dangerously expensive?
