On Wed, 2005-04-13 at 13:22, Andreas Davour wrote:
> The following message have many characteristics in common with much spam
> I've been getting lately. It's about investments, often shares, stock
> options or oil. One odd thing about those messages is that they all,
> like the one quoted below, have the letter 'l' substituted for the pipe
> character i.e. '|'.
>
> Are there any rule for this? Would one be hard do design?
There are several tools available to generate obfuscated-word rules for
you. Here's the one I made:
http://www.impsec.org/email-tools/obfusc.pl
It reads a wordlist file containing data like:
million 1.0
and generates SA rulesets like:
# million @ 1.0
describe OBFU_WRD_071 obfuscated "million"
body OBFU_WRD_071
/\b(?!million)(?:m|([\/\|]\\\/[\|\\])|&\#(?:77|109);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);)(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[o0\xA9\xAE\xBC\xBD\xD2-\xD6\xD8\xF0\xF2-\xF6\xF8]|&o[a-z]+;|([(][)]))(?:[n\xD1\xF1]|(\|\\\|)|&\#(?:78|110);)/i
score OBFU_WRD_071 1.0
I've posted it here before, but thought it was worth a refresh given the
obfu questions that are popping up lately.
It doesn't catch obfuscations that include too many letters (e.g.
milllion) but could easily be altered to do so by adding a + after each
of the (?:gibberish) submatches. That would probably increase false
positives a bit.
--
John Hardin
Development and Technology group (Seattle)
CRS Retail Systems, Inc.
3400 188th Street SW, Suite 185
Lynnwood, WA 98037
voice: (425) 672-1304
fax: (425) 672-0192
email: [EMAIL PROTECTED]
web: http://www.crsretail.com
-----------------------------------------------------------------------
When freedom gives way to tyranny, it is not because tyranny comes
dressed as a wolf. Rather, it comes dressed as a shepherd,
pointing out other wolves. Go *read* the Patriot Act.
-----------------------------------------------------------------------
35 days until Revenge of the Sith
