SA Rule

[san <sa...@gmail.com>]

Hi,

for mangled viagra and other stuff ..is there any simple rule??
 such as following text...

VjAGRA_bu_$1,78
CjALiS_mb_$3,00
LEVjTRA_dz_$3,33
 
www [dot] rx44 [dot] info
Much appreciated
-- 
View this message in context: http://www.nabble.com/SA-Rule-tf2727201.html#a7605942
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: SA Rule

[Sven Schuster <sc...@gmx.de>]

Hi,

On Wed, Nov 29, 2006 at 04:46:32PM -0800, John D. Hardin told us:
> On Wed, 29 Nov 2006, Loren Wilton wrote:
> > > for mangled viagra and other stuff ..is there any simple rule??
> > > such as following text...
> >
> > Mangled rules are never simple rules.
>
> I have a perl script that will take a word list and generate REs for
> obfuscated versions of those words.
>  http://www.impsec.org/~jhardin/antispam

Another thought on this topic: has anybody ever tried using the
String::Approx module (or something similar) to do approximity/
distance matching on obfuscated words?? Kind of like the way
FuzzyOcr does it??


have a nice day :-)

Sven

-- 
Linux zion.homelinux.com 2.6.18-1.2849.fc6xen #1 SMP Fri Nov 10 13:56:52 EST 2006 i686 athlon i386 GNU/Linux
 21:00:15 up 18 days, 22:18,  1 user,  load average: 0.37, 0.72, 0.60

Re: SA Rule

["John D. Hardin" <jh...@impsec.org>]

On Wed, 29 Nov 2006, Loren Wilton wrote:

> > for mangled viagra and other stuff ..is there any simple rule??
> > such as following text...
> 
> Mangled rules are never simple rules.

I have a perl script that will take a word list and generate REs for
obfuscated versions of those words.

 http://www.impsec.org/~jhardin/antispam

Examples:

# cialas @              3.0
describe        OBFU_WRD_021    obfuscated "cialas"
body    OBFU_WRD_021
/\b(?!cialas)(?:(?:(?:[c\xA2\xA9\xAB\xC7\xE7]|&\#(?:67|99);){1,2}['\.~"*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;){1,2}['\.~"*^]?(?:[a4\@\xC0-\xC6\xE0-\xE6]|\/\\|&a[a-z]+;){1,2}['\.~"*^]?(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);){1,2}['\.~"*^]?(?:[a4\@\xC0-\xC6\xE0-\xE6]|\/\\|&a[a-z]+;){1,2}['\.~"*^]?(?:[s5z\$\xA6\xA7\xA8]|&\#(?:83|115);))|(?:c\s?i\s?a\s?l\s?a\s?s))/i
score   OBFU_WRD_021                    3.0

# cialis @              3.0
describe        OBFU_WRD_022    obfuscated "cialis"
body    OBFU_WRD_022
/\b(?!cialis)(?:(?:(?:[c\xA2\xA9\xAB\xC7\xE7]|&\#(?:67|99);){1,2}['\.~"*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;){1,2}['\.~"*^]?(?:[a4\@\xC0-\xC6\xE0-\xE6]|\/\\|&a[a-z]+;){1,2}['\.~"*^]?(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);){1,2}['\.~"*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;){1,2}['\.~"*^]?(?:[s5z\$\xA6\xA7\xA8]|&\#(?:83|115);))|(?:c\s?i\s?a\s?l\s?i\s?s))/i
score   OBFU_WRD_022                    3.0

# levitra @             3.0
describe        OBFU_WRD_089    obfuscated "levitra"
body    OBFU_WRD_089
/\b(?!levitra)(?:(?:(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);){1,2}['\.~"*^]?(?:[e3\xBC\xBD\xC6\xC8-\xCB\xE6\xE8-\xEB]|&e[a-z]+;){1,2}['\.~"*^]?(?:v|(\\\/)|&\#(?:86|118);){1,2}['\.~"*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;){1,2}['\.~"*^]?(?:[t\xA3\xB1]|&\#(?:84|116);){1,2}['\.~"*^]?(?:r|&\#(?:82|114);){1,2}['\.~"*^]?(?:[a4\@\xC0-\xC6\xE0-\xE6]|\/\\|&a[a-z]+;))|(?:l\s?e\s?v\s?i\s?t\s?r\s?a))/i
score   OBFU_WRD_089                    3.0

# viagra @              2.5
describe        OBFU_WRD_184    obfuscated "viagra"
body    OBFU_WRD_184
/\b(?!viagra)(?:(?:(?:v|(\\\/)|&\#(?:86|118);){1,2}['\.~"*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;){1,2}['\.~"*^]?(?:[a4\@\xC0-\xC6\xE0-\xE6]|\/\\|&a[a-z]+;){1,2}['\.~"*^]?(?:[gq]|&\#(?:71|103);){1,2}['\.~"*^]?(?:r|&\#(?:82|114);){1,2}['\.~"*^]?(?:[a4\@\xC0-\xC6\xE0-\xE6]|\/\\|&a[a-z]+;))|(?:v\s?i\s?a\s?g\s?r\s?a))/i
score   OBFU_WRD_184                    2.5

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				           -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
 26 days until Christmas

Re: SA Rule

[Loren Wilton <lw...@earthlink.net>]

> for mangled viagra and other stuff ..is there any simple rule??
> such as following text...

Mangled rules are never simple rules.  The SARE rules contain a lot of 
these, as does the antidrug stuff in SA itself.  It may be that these 
specific cases aren't caught though.

        Loren