Bart Verwilst wrote:
> Hellow!
>
> I'm receiving mail with "XANA, L0RAAZEPAM, \/ALUUM, \/llGRA, CAALlS,
> LEVlTRRA, MER1DllA, ALPRAZZ0LAM, TRAMAD0OL, AMBllEN repeated wife" as
> subject, and while it gives several scores, none of them has anything to
> do with the topic. Only because it's HTML mail, received from an ip, ...
> Shouldn't the subject line trigger some tags on its own too?
I know, I got the same spam and it skipped by my filter too, and I wrote most of
the drugs rules...
Yes it should match.. all of the body text rules are run against the subject
line as well, by default.
However, all of the above words are carefully crafted to avoid the DRUGS_*
rules.
Each one of them is obfuscated in a way beyond what the drugs rules currently
expect.
For example: \/llGRA
The DRUGS_ERECTILE rule can recognize the \/ for v, and the l for i, but it
doesn't recognize l as a substitute for a...
Here's two patches you can add to local.cf (or any other file) to at least fix
the erectile drugs... they'll automatically over-ride the default sub-rules from
20_drugs.cf. Be sure to remove line wraps.. each of those should only be one
line long.
body __DRUGS_ERECTILE1
/(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[a4ij1!|l\xCC-\xCF\xEC-\xEF][_\W]{0,[EMAIL
PROTECTED],3}[x
yz]?[gj][_\W]{0,3}rr?[_\W]{0,[EMAIL PROTECTED],3}x?[_\W]{0,3}(?:\b|\s)/i
body __DRUGS_ERECTILE3
/(?:\A|[\s\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])[_\W]{0,3}C[_\W]{0,3}[a4ij1!|l\xCC-\xCF\xEC-\xEF][_\W]{0,3}[ila40\xC0
[EMAIL
PROTECTED],3}l?[l!|1][_\W]{0,3}[ij1!|l\xCC-\xCF\xEC-\xEF][_\W]{0,3}s[_\W]{0,3}(?:\b|\s)/i
