{Spam?} Re: Missing new spam...

Daniel Maher daniel.maher at ubisoft.com
Tue Jan 30 14:46:03 CET 2007 

 

> -----Original Message-----

> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-

> bounces at lists.mailscanner.info] On Behalf Of Burak Ueda

> Sent: January 29, 2007 11:23 PM

> To: MailScanner discussion

> Subject: {Spam?} Re: Missing new spam...

> 

> Hi,

>  wrote some set of rules for this.

> I am an absolute beginner in both writing SA rules, and using regular

> expressions.

> I am continuously checking it for few days now, and it seems to be

> working.

> 

> But I'd love to hear some comments from experienced users. Here are the

> rules:

> http://burakueda.com/text/drugrules.txt

> 

> 

> 

> Jay Chandler wrote:

> > Gotten a few of these:

> >

> > Hi,

> >

> > VI_zAGRA $3, 35

> > VA_zLIUM $1, 20

> > AM_zBIEN $2, 90

> > CI_zALIS $3, 75

> > XA_zNAX  $1, 45

> >

> > http://www.tod*rx.com

> > Remove "*" to make the link working!

> >

> >

> > Has anyone written some custom rules to handle these yet?

> >

 

 

Consider:

 

 

# every rule has a "clean" counter-part, since these are legitimate words individually...

body            __UBI_PHARMVIAG01       /v[il1t]{0,1}.{0,2}a.{0,2}g{1,2}.{0,2}a{0,1}.{0,2}ra/i

body            __UBI_PHARMVIAG02       /viagra/i

body            __UBI_PHARMAMBI01       /am.{0,2}b.{0,2}[il1].{0,2}en/i

body            __UBI_PHARMAMBI02       /ambien/i

body            __UBI_PHARMCIAL01       /c[il1].{0,2}a.{0,2}l[il1]s/i

body            __UBI_PHARMCIAL02       /cialis/i

body            __UBI_PHARMVALI01       /va.{0,2}l.{0,2}[il1]um/i

body            __UBI_PHARMVALI02       /valium/i

 

# counter-rules to balance "clean" hits...

meta            UBI_PHARMVIAGRA         ( __UBI_PHARMVIAG01 && ! __UBI_PHARMVIAG02 )

score           UBI_PHARMVIAGRA         6

describe        UBI_PHARMVIAGRA         Obfuscated Viagra string

#etc...

 

I prefer {0,1} to ?, simply because it "feels" more precise, but both work (obviously).

 

 

--

  _

 °v°  Daniel Maher

/(_)\ Administrateur Système Unix

 ^ ^  Unix System Administrator

 

Four elements!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070130/e71eb835/attachment.html

More information about the MailScanner mailing list