more fun with regex (spamassassin rules)
Daniel Maher
daniel.maher at ubisoft.com
Tue Feb 20 21:29:36 CET 2007
Hello,
First thing's first, thanks to everybody that responded to my regex request. In case you're still in need of a spamassassin rule to find the "replace this with that" spams, here you go:
body UBI_URL_OBFU01 /(remove|replace|substitute) ?(the)? ?(("|').("|')|space) ?(in|from|to make) (the)? ?(link|url|address)? ?(above|below|work)/i
describe UBI_URL_OBFU01 6
score UBI_URL_OBFU01 URL obfuscation (01)
I've found that it works quite nicely! Feel free to name it whatever you like, of course. :)
Next up, I'm having a problem with another regex which detects the illegal characters in the common spam of this type lately. If I use it via egrep from the command line, it matches properly; however, spamassassin does not appear to match it:
$ egrep -i "https?:\/\/([a-z0-9._\-]{1,30}(:[a-z0-9._\-]{1,30})?\@)?[a-z0-9.-]{1,30}[^a-z0-9.-\/:'\[][a-z0-9.-\@]{1,30}"
This will, for example, successfully match:
http://www.domain .com
http://www.domain+com
Etc...
The same regex as a spamassassin rule:
body UBI_URL_OBFU02 /https?:\/\/([a-z0-9._\-]{1,30}(:[a-z0-9._\-]{1,30})?\@)?[a-z0-9.-]{1,30}[^a-z0-9.-\/:'\[][a-z0-9.-\@]{1,30}/i
score UBI_URL_OBFU02 1.5
describe UBI_URL_OBFU02 URL obfuscation (02)
Unfortunately, this rule will not trigger on either of the domains noted above.
Any ideas?
--
_
°v° Daniel Maher
/(_)\ Administrateur Système Unix
^ ^ Unix System Administrator
Four elements!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070220/27de3a6a/attachment.html
More information about the MailScanner
mailing list