McDonald, Dan wrote:
Have you tried my rule? I've caught 401 of them since I updated it this
morning. It's also got a little surprise for the next logical
variant...
body __MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_NOT_OB /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|
org)\b/i
meta AE_MED44 (__MED_OB && ! __MED_NOT_OB)
describe AE_MED44 Shorter rule to catch spam obfuscation
score AE_MED44 2.0
Dan,
Thanks for the rules.
I am using "AE_MED42" from a previous thread, is this "AE_MED44" meant
to replace this or work in addition to it?
Also just curious, why the low score? With the default required hits of
5.0 and this in my setup being the only rule to hit it would not be
tagged as spam. Am i missing something or have you lowered your
required hits?
Ben
