Re: Sample eCard Rules...
Jared Hall wrote: > Some quick eCard rules: > > headerJARED_ECARD Subject =~ /You\'ve received > (a|an) (greeting|postcard| > ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague| > family member|friend|mate|neighbor|neighbour|partner|school friend|school > mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i > A good start, but that rule could be simplified quite a lot. For starters, don't do (a|an).. it's much faster to do an? instead. Also, in this case the \!? at the end is pointless. Regexes match substrings, so you could just leave that whole part off with zero change in what will match. In general, for regexes that are used to detect matches only (ie: SA rules), if you end in . + * or ? you're doing something wasteful and pointless and should re-examine the regex. Unless you add a $ at the end, you don't have to match the whole text, so don't waste time trying to match optional characters at the end. Here's a variant I use.. header L_S_SUBJPOSTCARD Subject =~/\bYou've received an? (?:greeting)?(?:e|post)?card from a .{4,20}!/ describe L_S_SUBJPOSTCARD greeting card virus Notes: mine won't catch the "You've received a greeting from a" variant yours picks up, but I've never seen that one myself. Every one I've seen of this type as "card" in it somewhere. Mine's also a bit less specific, as it just uses a .{4,20} where yours bothers to list out all the possible texts the virus uses. I feel it's unlikely to match anything nonspam, but greatly reduces the resource usage of the rule. Mine requires the exclamation point at the end, where yours makes it optional (and should just leave it off as above).
Sample eCard Rules...
Some quick eCard rules: header JARED_ECARD Subject =~ /You\'ve received (a|an) (greeting|postcard| ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague| family member|friend|mate|neighbor|neighbour|partner|school friend|school mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i score JARED_ECARD 2.5 header JARED_ECARD1Subject =~ /^(School\-mate|Worshipper|Neighbour| Colleague|Admirer|School mate|Mate|Class\-mate|Neighbor|Friend|Partner|Family member|Class mate) sent you (a|an) (greeting|postcard|ecard|greeting ecard| greeting card) from ((postcardsfrom|Greeting\-Cards|e\-cards|1LoveCards| postcard|greetingCard|netfuncards|freewebcards|AmericanGreetings| GreetingCards|2000Greetings|FunnyPostcard|mypostcards|egreetings|dgreetings| VintagePostcards|123Greetings|riversongs|Hallmark|greet2k|egreetings| all\-yours|bluemountain|Postcards)\.(com|net|org))\!?/i score JARED_ECARD12.0 header JARED_ECARD2Subject =~ /^(Animated|Funny|Greeting|Holiday|Thank you| Musical|Love|Birthday|Movie\-quality)[\s](ecard|card|postcard)[\s]$/i score JARED_ECARD22.0 $0.02, Jared Hall General Telecom, LLC. On Tuesday 14 August 2007 11:33, John Rudd wrote: > Doc Schneider wrote: > > Loren Wilton wrote: > >> PDFinfo plugin from SARE helps a lot with the pdf mess. > > > > I found that ClamAV catches most all those greeting card spamscam > > viruses. > > > > But the PDFInfo from SARE works GREAT! > > ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL > signatures in addition to the main ClamAV signatures. We went from > rejecting a few thousand "viruses" a day with just the base ClamAV > signatures, to rejecting high 10's of thousands of messages a day > (mostly due to Sanesecurity). No complaints about false positives yet.