So, in my terms (simple), this rule only catches msg if the two drug names are in that order and in all capitals, but not necessarily one immediately following the other?
John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 07, 2006 6:44 PM To: David Sullivan Subject: Re: [sniffer] Bad Rule - 828931 On Tuesday, February 7, 2006, 6:15:13 PM, David wrote: DS> Sorry, wrong thread on the last post. DS> Add'l question. Pete, what is the content of the rule? The rule info is: Rule - 828931 Name C%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Created 2006-02-07 Source C%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Hidden false Blocked false Origin User Submission Type Manual Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength 3.84258274153269 False Reports 0 >From Users 0 Rule belongs to following groups [252] Problematic The rule was an attempt to build an abstract matching two ed pill names (you can see them in there) while compensating for heavy obfuscation. The mistake was in using %+ through the rule. The rule would match the intended spam (and there was a lot of it, so 22,055 most likely includes mostly spam. Unfortunately it would also match messages containing the listed capital letters in that order throughout the message. Essentially, if the text is long enough then it will probably match. A greater chance of FP match if the text of the message is in all caps. Also if there is a badly coded base64 segment and file attachment (badly coded base64 might not be decoded... raw base64 will contain many of these letters in mixed case and therefore increase the probability of matching them all). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
