You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ned Slider <ne...@unixmail.co.uk> on 2008/10/10 18:40:06 UTC
FB_SOFTTABS [in 72_active.cf] suggestion
Hi,
I'm seeing quite a few spam lately with the string "S0ftTabs" (hits 134
spam (5.8%) in a spam corpus of 2300 from the last week).
This isn't detected by the current FB_SOFTTABS rule due to obfuscation
of the "o" with "0", but otherwise would be.
The current rule looks like:
body FB_SOFTTABS /\bsoft\s?t?abs\b/i
describe FB_SOFTTABS Phrase: Softabs
Would it be possible to test it with also detecting the obfuscation as I
don't believe that should hit any more ham than the current rule and
should increase detection for current spam. Maybe something like:
body FB_SOFTTABS /\bs(o|0)ft\s?t?abs\b/i
describe FB_SOFTTABS Phrase: Softabs
I don't know if it would also be worth checking (a|@) at the same time
although I see no hits against "t@bs" at present.
Also, being relatively new to this list, is it best to air suggestions
such as this here first for discussion or should I just go ahead a file
a bug report?
Regards,
Ned
Re: FB_SOFTTABS [in 72_active.cf] suggestion
Posted by John Hardin <jh...@impsec.org>.
On Fri, 10 Oct 2008, Ned Slider wrote:
> Would it be possible to test it with also detecting the obfuscation as I
> don't believe that should hit any more ham than the current rule and should
> increase detection for current spam. Maybe something like:
>
> body FB_SOFTTABS /\bs(o|0)ft\s?t?abs\b/i
> describe FB_SOFTTABS Phrase: Softabs
>
> I don't know if it would also be worth checking (a|@) at the same time
> although I see no hits against "t@bs" at present.
Is there some reason this doesn't use replacetags?
body FUZZY_SOFTTABS /\b<S><O><F><T><SP>?<T>?<A><B><S>\b/i
describe FUZZY_SOFTTABS Attempt to obfuscate words in spam
replace_rules FUZZY_SOFTTABS
It looks like there's a lot of FB_ rules that could benefit from
replacetags - is there some reason SA isn't relying more heavily on it?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We have to realize that people who run the government can and do
change. Our society and laws must assume that bad people -
criminals even - will run the government, at least part of the
time. -- John Gilmore
-----------------------------------------------------------------------
25 days until the Presidential Election