On Fri, 14 Feb 2014, Adam Katz wrote:
Given the nature of the content, I'd go the other direction and not require the word boundary. This removes the wildcard, though it doesn't short circuit as quickly, so one could debate which version is more efficient.body __HEXHASHWORD /\b[a-z]{1,10}\s[0-9a-f]{30}/
Yeah, that would work. Adjusting sandbox.
tflags __HEXHASHWORD multiple maxhits=5 meta HEXHASH_WORD __HEXHASHWORD > 4 describe HEXHASH_WORD Five hexadecimal hashes, each following a word I'm curious if the hex string is always so similar; it may be enough to use \bb8b177bf24975 and not need the tflags multiple piece.
I think that would be a little *too* conservative. S/O is a little surprising: http://ruleqa.spamassassin.org/?daterev=20140213-r1567864-n&rule=%2FHEXHASH I'm curious as to what hits that in ham... Perhaps more repetitions would improve that? -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Where We Want You To Go Today 09/13/07: Microsoft patents in-OS adware architecture that incorporates monitoring and analysis of user actions and interrupting the user to display apparently relevant advertisements (U.S. Patent #20070214042) ----------------------------------------------------------------------- 8 days until George Washington's 282nd Birthday
