You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ned Slider <ne...@unixmail.co.uk> on 2008/10/10 18:40:06 UTC

FB_SOFTTABS [in 72_active.cf] suggestion

Hi,

I'm seeing quite a few spam lately with the string "S0ftTabs" (hits 134 
spam (5.8%) in a spam corpus of 2300 from the last week).

This isn't detected by the current FB_SOFTTABS rule due to obfuscation 
of the "o" with "0", but otherwise would be.

The current rule looks like:

body     FB_SOFTTABS               /\bsoft\s?t?abs\b/i
describe FB_SOFTTABS               Phrase: Softabs

Would it be possible to test it with also detecting the obfuscation as I 
don't believe that should hit any more ham than the current rule and 
should increase detection for current spam. Maybe something like:

body     FB_SOFTTABS               /\bs(o|0)ft\s?t?abs\b/i
describe FB_SOFTTABS               Phrase: Softabs

I don't know if it would also be worth checking (a|@) at the same time 
although I see no hits against "t@bs" at present.

Also, being relatively new to this list, is it best to air suggestions 
such as this here first for discussion or should I just go ahead a file 
a bug report?

Regards,

Ned

Re: FB_SOFTTABS [in 72_active.cf] suggestion

Posted by John Hardin <jh...@impsec.org>.

On Fri, 10 Oct 2008, Ned Slider wrote:

> Would it be possible to test it with also detecting the obfuscation as I 
> don't believe that should hit any more ham than the current rule and should 
> increase detection for current spam. Maybe something like:
>
> body     FB_SOFTTABS               /\bs(o|0)ft\s?t?abs\b/i
> describe FB_SOFTTABS               Phrase: Softabs
>
> I don't know if it would also be worth checking (a|@) at the same time 
> although I see no hits against "t@bs" at present.

Is there some reason this doesn't use replacetags?

body FUZZY_SOFTTABS  /\b<S><O><F><T><SP>?<T>?<A><B><S>\b/i
describe FUZZY_SOFTTABS  Attempt to obfuscate words in spam
replace_rules FUZZY_SOFTTABS

It looks like there's a lot of FB_ rules that could benefit from 
replacetags - is there some reason SA isn't relying more heavily on it?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   We have to realize that people who run the government can and do
   change. Our society and laws must assume that bad people -
   criminals even - will run the government, at least part of the
   time.                                               -- John Gilmore
-----------------------------------------------------------------------
  25 days until the Presidential Election