"replace this with that" strings
Ken A
ka at pacific.net
Fri Feb 16 18:38:35 CET 2007
Daniel Maher wrote:
> Hello all,
>
>
>
> Lately, I have received a large number of Spams which instruct my users to "replace <this> with <that>" in order to create a valid URL. I was wondering if anybody had an effective way to block these. My first instinct is to create a simple SA rule - if somebody else has already made one that seems to work, I'd rather not re-invent the wheel. :-)
>
I'm not a regex expert. (ianare?) .. but this is working pretty well
here - it probably hits a few ham, but I don't log non-spam, so not sure!
body __LOCAL_BLOCK_REP_THING1
/\b(?:remove|replace|substitute)\s(?:"."|'.'|space)\s(?:with|for)\s(?:"."|'.')/i
describe __LOCAL_BLOCK_REP_THING1 replace this with that
body __LOCAL_BLOCK_REP_THING2 /\bremove
?(the)?\s(?:"."|'.'|space)\s(?:in the|from the|above|below)/i
describe __LOCAL_BLOCK_REP_THING2 replace this with that
meta LOCAL_BLOCK_REP_THING (__LOCAL_BLOCK_REP_THING1 ||
__LOCAL_BLOCK_REP_THING2)
describe LOCAL_BLOCK_REP_THING replace or remove a char
score LOCAL_BLOCK_REP_THING 2.0
other metrics usually push it over the top tho (combine it with a check
for meds, etc..)
Ken A
Pacific.Net
>
> Thanks!
>
>
>
> --
>
> _
> °v° Daniel Maher
> /(_)\ Administrateur Système Unix
> ^ ^ Unix System Administrator
>
>
>
> Four elements!
>
>
>
>
>
More information about the MailScanner
mailing list