On 23/07/14 20:44, John Hardin wrote:
On Wed, 23 Jul 2014, Paul Stead wrote:
body __LOC_COUNT_UNI /x[0-9A-F]{4};/
tflags __LOC_COUNT_UNI multiple
Recommend maxhits on that.
Apologies, I omitted the max hits...
If you're only looking for 10+ hits, then maxhits=11 will allow you to
detect them with the minimum of wasted work.
I have more rules to match up to 50, but you are right - good advice for
anyone copying these, though I do prefer Martin's approach:
On 23/07/14 20:39, Martin Gregorie wrote:
body MG_HEX_HTML /(.{0,3}\&\#x[0-9A-F]{4};){5}/
Making use of the meta rules seems to be the best here - this spam is
being very tricky to catch - I'll mirror my previous statement that the
suggested patches do pick up on this spam too
--
Paul Stead, Zen Internet
Systems Engineer
