Yeah, you catch my point !
I think it's easier to find a non-alphanum character than trying to
decode/desobfucate/guess the subject hidden word !
Why do we have to waste resources in trying to guess "Sex Movie" out
of "Se^x M-o ^v ~l e -". If it contains non-char in between chars you
can directly trigger a rule !
2011/10/17 Mynabbler <mynab...@live.com>:
>
>
> John Hardin wrote:
>>
>>> On Sat, 2011-10-15 at 15:38 -0700, John Hardin wrote:
>>> Check out SUBJ_OBFU_PUNCT in my sandbox. Awaiting masscheck, but we'll
>>> have to be quick to see the actual results... :)
>>
> I wrote a couple a days ago about these subjects, did not get a response
> however. I came up with something rather straightforward:
>
> header __MN_PUNC00 Subject =~ /~/
> header __MN_PUNC02 Subject =~ /`/
> header __MN_PUNC03 Subject =~ /\#/
> header __MN_PUNC04 Subject =~ /\$/
> header __MN_PUNC05 Subject =~ /%/
> header __MN_PUNC06 Subject =~ /\^/
> header __MN_PUNC07 Subject =~ /&/
> header __MN_PUNC08 Subject =~ /\*/
> header __MN_PUNC09 Subject =~ /\(|\)/
> header __MN_PUNC10 Subject =~ /\?/
> header __MN_PUNC11 Subject =~ /\+/
> header __MN_PUNC12 Subject =~ /=/
> header __MN_PUNC13 Subject =~ /\{|\}/
> # header __MN_PUNC14 Subject =~ /\[|\]/
> header __MN_PUNC15 Subject =~ /\|/
> header __MN_PUNC16 Subject =~ /\"/
> header __MN_PUNC17 Subject =~ /\;/
> header __MN_PUNC18 Subject =~ /\:/
> header __MN_PUNC19 Subject =~ /\//
> header __MN_PUNC20 Subject =~ /_/
> meta MN_PUNCTUATION (__MN_PUNC01 + __MN_PUNC02 + __MN_PUNC03 +
> __MN_PUNC04 + __MN_PUNC05 + __MN_PUNC06 + __MN_PUNC07 + __MN_PUNC08 +
> __MN_PUNC09 + __MN_PUNC10 + __MN_PUNC11 + __MN_PUNC12 + __MN_PUNC13 +
> __MN_PUNC15 + __MN_PUNC16 + __MN_PUNC17 + __MN_PUNC18 + __MN_PUNC19 +
> __MN_PUNC20 >= 3)
> score MN_PUNCTUATION 0.1
>
> PUNC14 gave too much false positives with forums and such where [ForumName]
> is send in the subject. The actual score for this kind of punctuation is
> low, I use the rule in a meta with URL shortening, free websites, free
> blogs, stuff like that, and it is hovering above the kill switch. Also note
> that is does not choke on subjects like ===++++====, where a multiple would.
>
>
> --
> View this message in context:
> http://old.nabble.com/Why-doesn%27t-anything-at-all-get-these-botnet-spammers--tp32659169p32668643.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>
