Thank you Karsten for your input.
I have modified the rule to the following and is working great:
header ADVERTISE_RULE8 Subject =~ /publ.?.c.?.dad/i
describe ADVERTISE_RULE8 Encripted word
score ADVERTISE_RULE8 11
If I see there are a lot of false positives I will modify it a bit, but for
now it is what I was looking for.
Regards,
Sergio
2011/11/21 Karsten Bräckelmann <guent...@rudersport.de>
> On Mon, 2011-11-21 at 14:46 -0600, Sergio wrote:
> > I block a lot of spam searching for strings on the subject, but
> > sometimes the subject in the header comes in EVAL, like this:
> > Subject:
> > =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
>
> Not "eval", but encoded -- in this case even necessary, rather than an
> attempt at obfuscation, because it contains non ASCII letters.
>
> Anyway, SA *does* decode the header value by default, unless you use
> the :raw qualifier.
>
>
> > So, rules like this doesn't work:
> > header ADVERTISE_RULE8 Subject =~ /Publici dad/i
>
> It doesn't work, because one of these chars is not an 'i'. The Subject
> decodes to:
> .Venta de CANASTAS NAVIDE_AS - publ_ci dad
>
> This is actually directly extracted from SA debugging, and thus decoded
> by SA. Note the underscores, which I used in place of the two non-ASCII
> chars.
>
> Your rule does not match, because the first 'i' is not. Using the /./
> "any char" instead of it works.
>
>
> > score ADVERTISE_RULE8 11
>
> That's a rather high score. And your RE sure could use some /\b/ word
> boundaries at the beginning and end of the match.
>
>
> --
> char *t="\10pse\0r\0dtu\0.@ghno
> \x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
> c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
> }}}
>
>
