On Mon, 2011-11-21 at 14:46 -0600, Sergio wrote: > I block a lot of spam searching for strings on the subject, but > sometimes the subject in the header comes in EVAL, like this: > Subject: > =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
Not "eval", but encoded -- in this case even necessary, rather than an attempt at obfuscation, because it contains non ASCII letters. Anyway, SA *does* decode the header value by default, unless you use the :raw qualifier. > So, rules like this doesn't work: > header ADVERTISE_RULE8 Subject =~ /Publici dad/i It doesn't work, because one of these chars is not an 'i'. The Subject decodes to: .Venta de CANASTAS NAVIDE_AS - publ_ci dad This is actually directly extracted from SA debugging, and thus decoded by SA. Note the underscores, which I used in place of the two non-ASCII chars. Your rule does not match, because the first 'i' is not. Using the /./ "any char" instead of it works. > score ADVERTISE_RULE8 11 That's a rather high score. And your RE sure could use some /\b/ word boundaries at the beginning and end of the match. -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}