On Mon, 2011-11-21 at 14:46 -0600, Sergio wrote:
> I block a lot of spam searching for strings on the subject, but
> sometimes the subject in the header comes in EVAL, like this:
> Subject:
> =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
Not "eval", but encoded -- in this case even necessary, rather than an
attempt at obfuscation, because it contains non ASCII letters.
Anyway, SA *does* decode the header value by default, unless you use
the :raw qualifier.
> So, rules like this doesn't work:
> header ADVERTISE_RULE8 Subject =~ /Publici dad/i
It doesn't work, because one of these chars is not an 'i'. The Subject
decodes to:
.Venta de CANASTAS NAVIDE_AS - publ_ci dad
This is actually directly extracted from SA debugging, and thus decoded
by SA. Note the underscores, which I used in place of the two non-ASCII
chars.
Your rule does not match, because the first 'i' is not. Using the /./
"any char" instead of it works.
> score ADVERTISE_RULE8 11
That's a rather high score. And your RE sure could use some /\b/ word
boundaries at the beginning and end of the match.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
