On Mon, 24 Nov 2003 22:23:11 -0600 (CST), Chris Thielen
<[EMAIL PROTECTED]> posted to spamassassin-talk:
> ian douglas said:
>>> Anyone have any good obfuscation rules for p4r1s h1|+0n spam? I'm
>>> getting a ton of these every day...
>> http://sandgnat.com/cmos/cmos.jsp gave me a good result, but will not
>> match a plus sign to substitue for a 't' character.
> Good suggestion, Ian. That replacement will be in the next version of the
> script. It is also added as a replacement character in the
> paris_hilton.cf that I generated for you (see previous post).
If I enter a single-character string in the "easy mode" text box, the
rules will somehow manage to drop the character from the obfuscated
rules. I.e. for the input "d" I get the regex /(?!\bd\b)\b/i (and not
the nonsensical /(?!\bd\b)\bd\b/i or an error message in the case when
the default "obfu only" option is selected).
Why are character classes not used consistently? For the input "lad"
and with -g but no -o it gives me the regex
/(?:\b[l1I]|[\|\xA3]|(?:\xC5[\x80-\x82]|\xC4[\xB9-\xBF]))
(?:[a4]|[EMAIL PROTECTED]|\/\\|
\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|
\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\xCE\xB1|
\xD0\x90|\xD0\xB0)
(?:d\b|[\xD0]|\xC4[\x8E-\x91])/i
(obviously as a single long string) rather than the more idiomatic
/(?:\b[l1I|\xA3]|(?:\xC5[\x80-\x82]|\xC4[\xB9-\xBF]))
(?:[EMAIL PROTECTED]|\/\\|
\xC4[\x80-\x85]|\xC7[\x8D-\x8E\xBA-\xBB]|
\xCE[\x86\x91\x94\x9B\xAC\xB1]|
\xD0[\x90\xB0])
(?:d\b|[\xD0]|\xC4[\x8E-\x91])/i
or actually even with the last line being
(?:[d\xD0]|\xC4[\x8E-\x91])\b/i
instead. I don't have any timings to back it up, but probably it will
be slightly faster as well as more human-readable if you normalize the
expressions to use classes wherever you can.
Thanks for a useful tool, BTW! I wish I had thought of setting that up.
/* era */
--
The email address era the contact information Just for kicks, imagine
at iki dot fi is heavily link on my home page at what it's like to get
spam filtered. If you <http://www.iki.fi/era/> 500 pieces of spam for
want to reach me, see instead. each wanted message.
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
