On Wed, 2005-04-13 at 13:22, Andreas Davour wrote: > The following message have many characteristics in common with much spam > I've been getting lately. It's about investments, often shares, stock > options or oil. One odd thing about those messages is that they all, > like the one quoted below, have the letter 'l' substituted for the pipe > character i.e. '|'. > > Are there any rule for this? Would one be hard do design?
There are several tools available to generate obfuscated-word rules for you. Here's the one I made: http://www.impsec.org/email-tools/obfusc.pl It reads a wordlist file containing data like: million 1.0 and generates SA rulesets like: # million @ 1.0 describe OBFU_WRD_071 obfuscated "million" body OBFU_WRD_071 /\b(?!million)(?:m|([\/\|]\\\/[\|\\])|&\#(?:77|109);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);)(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[o0\xA9\xAE\xBC\xBD\xD2-\xD6\xD8\xF0\xF2-\xF6\xF8]|&o[a-z]+;|([(][)]))(?:[n\xD1\xF1]|(\|\\\|)|&\#(?:78|110);)/i score OBFU_WRD_071 1.0 I've posted it here before, but thought it was worth a refresh given the obfu questions that are popping up lately. It doesn't catch obfuscations that include too many letters (e.g. milllion) but could easily be altered to do so by adding a + after each of the (?:gibberish) submatches. That would probably increase false positives a bit. -- John Hardin Development and Technology group (Seattle) CRS Retail Systems, Inc. 3400 188th Street SW, Suite 185 Lynnwood, WA 98037 voice: (425) 672-1304 fax: (425) 672-0192 email: [EMAIL PROTECTED] web: http://www.crsretail.com ----------------------------------------------------------------------- When freedom gives way to tyranny, it is not because tyranny comes dressed as a wolf. Rather, it comes dressed as a shepherd, pointing out other wolves. Go *read* the Patriot Act. ----------------------------------------------------------------------- 35 days until Revenge of the Sith