Re: Sample eCard Rules...

2007-08-14 Thread Matt Kettler 
Jared Hall wrote:
> Some quick eCard rules:
>
> headerJARED_ECARD Subject =~ /You\'ve received 
> (a|an) (greeting|postcard|
> ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague|
> family member|friend|mate|neighbor|neighbour|partner|school friend|school 
> mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i
>   
A good start, but that rule could be simplified quite a lot.

For starters, don't do (a|an).. it's much faster to do an? instead.

Also, in this case the \!? at the end is pointless. Regexes match
substrings, so you could just leave that whole part off with zero change
in what will match.

In general, for regexes that are used to detect matches only (ie: SA
rules), if you end in . + * or ? you're doing something wasteful and
pointless and should re-examine the regex. Unless you add a $ at the
end, you don't have to match the whole text, so don't waste time trying
to match optional characters at the end.

Here's a variant I use..

header L_S_SUBJPOSTCARD Subject =~/\bYou've received an? 
(?:greeting)?(?:e|post)?card from a .{4,20}!/
describe L_S_SUBJPOSTCARD   greeting card virus


Notes: 

mine won't catch the "You've received a greeting from a" variant yours picks 
up, but I've never seen that one myself. Every one I've seen of this type as 
"card" in it somewhere.

Mine's also a bit less specific, as it just uses a .{4,20} where yours bothers 
to list out all the possible texts the virus uses. I feel it's unlikely to 
match anything nonspam, but greatly reduces the resource usage of the rule.

Mine requires the exclamation point at the end, where yours makes it optional 
(and should just leave it off as above).

Sample eCard Rules...

2007-08-14 Thread Jared Hall 
Some quick eCard rules:

header  JARED_ECARD Subject =~ /You\'ve received (a|an) 
(greeting|postcard|
ecard|greeting ecard|greeting card) from a (admirer|class\-mate|colleague|
family member|friend|mate|neighbor|neighbour|partner|school friend|school 
mate|school\-mate|worshipper|Class mate|Colleague|buddy|pal)\!?/i
score   JARED_ECARD 2.5

header  JARED_ECARD1Subject =~ 
/^(School\-mate|Worshipper|Neighbour|
Colleague|Admirer|School mate|Mate|Class\-mate|Neighbor|Friend|Partner|Family 
member|Class mate) sent you (a|an) (greeting|postcard|ecard|greeting ecard|
greeting card) from ((postcardsfrom|Greeting\-Cards|e\-cards|1LoveCards|
postcard|greetingCard|netfuncards|freewebcards|AmericanGreetings|
GreetingCards|2000Greetings|FunnyPostcard|mypostcards|egreetings|dgreetings|
VintagePostcards|123Greetings|riversongs|Hallmark|greet2k|egreetings|
all\-yours|bluemountain|Postcards)\.(com|net|org))\!?/i
score   JARED_ECARD12.0

header  JARED_ECARD2Subject =~ 
/^(Animated|Funny|Greeting|Holiday|Thank you|
Musical|Love|Birthday|Movie\-quality)[\s](ecard|card|postcard)[\s]$/i
score   JARED_ECARD22.0


$0.02,

Jared Hall
General Telecom, LLC.


On Tuesday 14 August 2007 11:33, John Rudd wrote:
> Doc Schneider wrote:
> > Loren Wilton wrote:
> >> PDFinfo plugin from SARE helps a lot with the pdf mess.
> >
> > I found that ClamAV catches most all those greeting card spamscam
> > viruses.
> >
> > But the PDFInfo from SARE works GREAT!
>
> ClamAV does even better if you use the Sanesecurity, MSRBL, and MBL
> signatures in addition to the main ClamAV signatures.  We went from
> rejecting a few thousand "viruses" a day with just the base ClamAV
> signatures, to rejecting high 10's of thousands of messages a day
> (mostly due to Sanesecurity).  No complaints about false positives yet.