Jim Maul wrote:
Chris Santerre wrote:
-----Original Message----- From: Jim Maul [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 06, 2005 10:39 AM To: SA Users List Subject: Extra Sare Rules for meds?
I realize this isnt exactly a SA question but i figured theres enough people on this list using sare rules to give some feedback. I work in a hospital where we obviously receive a lot of legit emails with drug names in them. However, we also receive a lot of spam with drug names in them as well. I know there are sare rules to catch these sort of things but the question i guess is can these rules distinguish between the two? The difference it seems is that in the legit emails they dont try to hide the drug names and in the spam they do. Before i install some of these rules, i wanted to hear if anyone has had any experience with this type of situation.
Hi Jim,
Do you get hams with the kinds of drug names often found in spam? Or are we
talking about other kinds of drugs?
You could always change the scores in the SARE ruleset to something very low
for testing purposes.
Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com
Well, honestly im not even sure about that. I guess what i need to do is start capturing some of the emails (both ham and spam) we receive with drug names and do some trial runs with some of the antidrug and obfu rules to see what the results are. Does anyone know if the obfu rules would catch stuff like:
<TABLE cellSpacing=3D0 cellPadding=3D0 border=3D0> <TBODY> <TR vAlign=3Dbottom> <TD rowSpan=3D2><FONT face=3DArial size=3D4>VA</FONT></TD> <TD><FONT face=3DArial size=3D4></FONT></TD> <TD rowSpan=3D2><FONT face=3DArial size=3D4>U</FONT></TD> <TD><FONT face=3DArial size=3D4></FONT></TD> <TD rowSpan=3D2><FONT face=3DArial size=3D4>AG</FONT></TD> <TD><FONT face=3DArial size=3D4></FONT></TD> <TD rowSpan=3D2><FONT face=3DArial size=3D4> C</FONT></TD> <TD><FONT face=3DArial size=3D4></FONT></TD> <TD rowSpan=3D2><FONT face=3DArial size=3D4>IS</FONT></TD> <TD><FONT face=3DArial size=3D4></FONT></TD> <TR> <TD><FONT face=3DArial size=3D4>Ll</FONT></TD> <TD><FONT face=3DArial size=3D4>M Vl</FONT></TD> <TD><FONT face=3DArial size=3D4>RA</FONT></TD> <TD><FONT face=3DArial size=3D4>lAL</FONT></TD> <TD><FONT face=3DArial = size=3D4> and many other</FONT></TD>
</TR></TBODY></TABLE></DIV>
Thanks for the help as usual matt and chris.
-Jim
<TD rowSpan=3D2><FONT face=3DArial size=3D4>VA</FONT></TD>
BODY TABLEOBFU m{<td([^>]+|"[^"]+)>(<([^>]+|"[^"]+)>)*[a-z]{1,2}(<([^>]+|"[^"]+)>)*</td([^>]+|"[^"]+)>}i
might work for this. I haven't masschecked it, but I'll run a test tomorrow to see how this works out.
It essentially looks for one or two letters in a table tag with optional tags between the <td> and </td>
Jesse Houwing SARE Ninja
