When I worked on this, I basically took the anti_drug ruleset, and added a check to ensure that the rules only fire on obfuscated versions of the name. This can be done using negative lookahead in the rule
Header SAMPLE_RULE Subject =~ /(?!viagra)v[1i][a4]gr[4a]/i As an example (and only an example. I wrote it off the top of my head with no linting/brainwork) Again, I'm happy to provide further input if you need it. R > -----Original Message----- > From: Jim Maul [mailto:[EMAIL PROTECTED] > Sent: 06 April 2005 15:39 > To: SA Users List > Subject: Extra Sare Rules for meds? > > I realize this isnt exactly a SA question but i figured > theres enough people on this list using sare rules to give > some feedback. I work in a hospital where we obviously > receive a lot of legit emails with drug names in them. > However, we also receive a lot of spam with drug names in > them as well. I know there are sare rules to catch these > sort of things but the question i guess is can these rules > distinguish between the two? The difference it seems is that > in the legit emails they dont try to hide the drug names and > in the spam they do. Before i install some of these rules, i > wanted to hear if anyone has had any experience with this > type of situation. > > Thanks > Jim > --------------------------------------------------- This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses. For further information contact [EMAIL PROTECTED]