Brandy spanky new drug spam trick

[jdow <jd...@earthlink.net>]

From: "Cialis $89, Soma $59, Viagra $69" <lp...@yahoo.co.uk>

Guess what? It passes right through all the tests because the drugs
are never mentioned in the body of the mail.

{^_^}

Re: Brandy spanky new drug spam trick

[Matt Kettler <mk...@evi-inc.com>]

jdow wrote:

>Odd, I typed that correctly in the user_prefs and transcribed it
>wrong here.
>header JD_FROM_DRUG_1   From =~ /(viagra|cialis| soma)\b/i
>
JD - performance suggestion. When doing a (a|b) type construct, add ?:
to disable backreferences. It saves some memory and speeds the regex
execution. The only drawback is you can't use a backreference (\1) later
in the regex, but if you're not using it, that's not a drawback at all.

header JD_FROM_DRUG_1   From =~ /(?:viagra|cialis| soma)\b/i

Re: Brandy spanky new drug spam trick

[jdow <jd...@earthlink.net>]

From: "jdow" <jd...@earthlink.net>

> From: "Robert Menschel" <Ro...@Menschel.net>
> 
> > Hello jdow,
> > 
> > Friday, May 6, 2005, 4:21:49 AM, you wrote:
> > 
> > j> From: "Cialis $89, Soma $59, Viagra $69" <lp...@yahoo.co.uk>
> > 
> > j> Guess what? It passes right through all the tests because the drugs
> > j> are never mentioned in the body of the mail.
> > 
> > The next version of the SARE header rules should help out...
> > 
> > Bob Menschel
> 
> This helps, too, Bob. {^_-} Do it to me once and I suggest a new rule.
> Do it to me twice and you get insulted. {^_-}
> 
> ===8<---
> header JD_FROM_DRUG_1   From =~ /[viagra|cialis| soma]\b/i

Odd, I typed that correctly in the user_prefs and transcribed it
wrong here.
header JD_FROM_DRUG_1   From =~ /(viagra|cialis| soma)\b/i

> describe JD_FROM_DRUG_1 Sneaky drug twerbles
> score JD_FROM_DRUG_1    10
> ===8<---
> 
> I'll be sure to install the new rules because I expect someone will
> start obfuscating it. Of course "$" and "dollars" and other currency
> notations probably do not appear in many ham from headers. So that's
> held in reserve.
> 
> {^_-}
{O.O}

Re: Brandy spanky new drug spam trick

[jdow <jd...@earthlink.net>]

From: "Robert Menschel" <Ro...@Menschel.net>

> Hello jdow,
> 
> Friday, May 6, 2005, 4:21:49 AM, you wrote:
> 
> j> From: "Cialis $89, Soma $59, Viagra $69" <lp...@yahoo.co.uk>
> 
> j> Guess what? It passes right through all the tests because the drugs
> j> are never mentioned in the body of the mail.
> 
> The next version of the SARE header rules should help out...
> 
> Bob Menschel

This helps, too, Bob. {^_-} Do it to me once and I suggest a new rule.
Do it to me twice and you get insulted. {^_-}

===8<---
header JD_FROM_DRUG_1   From =~ /[viagra|cialis| soma]\b/i
describe JD_FROM_DRUG_1 Sneaky drug twerbles
score JD_FROM_DRUG_1    10
===8<---

I'll be sure to install the new rules because I expect someone will
start obfuscating it. Of course "$" and "dollars" and other currency
notations probably do not appear in many ham from headers. So that's
held in reserve.

{^_-}

Re: Brandy spanky new drug spam trick

[Robert Menschel <Ro...@Menschel.net>]

Hello jdow,

Friday, May 6, 2005, 4:21:49 AM, you wrote:

j> From: "Cialis $89, Soma $59, Viagra $69" <lp...@yahoo.co.uk>

j> Guess what? It passes right through all the tests because the drugs
j> are never mentioned in the body of the mail.

The next version of the SARE header rules should help out...

Bob Menschel