We can certainly look at doing something like that, currently I am using this line:
BODY END CONTAINS Content-Transfer-Encoding: base64 David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, March 14, 2007 10:15 AM To: [email protected] Subject: Re: [Declude.JunkMail] PCRE FILTERING I'm seeing hits in the attachments too. Triggered ANYWHERE PCRE filter REGEX-KEYWORDS : vHXAH51eG1ujzM (valium) It would be real nice to be able to search the body without the attachments like this. BODYONLY 25 PCRE (?i:v.{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}[vu].{0,2}m) Being able to search the body without the attachments would also be a time saver on those BODY filters. ----- Original Message ----- From: "David Barker" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, March 13, 2007 11:24 AM Subject: [Declude.JunkMail] PCRE FILTERING Wanted to give a sample of how the new Regular Expressions are identifying patterns, here is a log snip on a few patterns for Drugs: ANYWHERE PCRE filter FILTER-DRUGS : C1al.is [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : C1alis is [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Cia1is s [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Cial1s S [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Cialiis [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : CIALIS [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Cialis S [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : H,G,H [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : HGH [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Human Growth Hormone [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : HxGxH [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED] [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Leviitra [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Levitra [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Levitra a [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Levltra [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : v!Agr@ a [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : V_I_A_G_R_A [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : v|aGR@ [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : V1agr@ [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : V1agra [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Val1um [weight -> 1] ANYWHERE PCRE filter FILTER-DRUGS : [EMAIL PROTECTED]@ [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Vi[agra [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Via gra [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Viagr@ a [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Viagra [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Viagra a [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Viagraa [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : VlAGR@ [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : VlAGRA [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Xanax [weight -> 5] ANYWHERE PCRE filter FILTER-DRUGS : Xanaxx [weight -> 5] These are the expressions I am using - as I am still on a learning curve these expressions may be improved and become more accurate While testing I score relatively low just in case of FP's. I use a tool called baregrep http://www.baremetalsoft.com/baregrep/ which speeds through huge DEBUG logs pulling out entries I am looking for. Hope this helps get you started with PCRE, I think the Declude community can recieve great value from sharing this type of info. #CIALIS ANYWHERE 3 PCRE (?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}s) #HGH ANYWHERE 5 PCRE (?i:\b(?:human growth hormone|(?-i:HGH)|H.G.H)\b) #LEVITRA ANYWHERE 5 PCRE (?i:\bl.{0,2}e.{0,2}v.{0,2}[\|li1í\!].{0,2}t.{0,2}r.{0,[EMAIL PROTECTED]) #VIAGRA ANYWHERE 5 PCRE (?i:v.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}g.{0,2}r.{0,[EMAIL PROTECTED]) #XANAX ANYWHERE 5 PCRE (?i:x.{0,[EMAIL PROTECTED],2}n.{0,[EMAIL PROTECTED],2}x) David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
