http://bugzilla.spamassassin.org/show_bug.cgi?id=4094
------- Additional Comments From [EMAIL PROTECTED] 2005-02-21 20:09 -------
(In reply to comment #9)
> Subject: Re: Add plugin to make fuzzy matching easier
> > working on this now
>
> FYI, I don't know anything about the plugin more than the couple of
> minutes I went poking at it just now, but I put in code and rules in 3.1
> trunk a few days ago (T_INT_*) which seem to do the same thing that the
> plugin docs indicate it does.
>
> ie:
>
> body T_INT_VICODIN eval:check_obfu_word('vicodin')
>
> makes the rule ignore "vicodin", but trigger on the RE:
>
> (?:v|\\/)\W*[i1|]\W*c\W*[o0]\W*d\W*[i1|]\W*n
Theo,
I just took a look at the check_obfu_word and what it is doing (generating
obfu-catching rules). Are you aware of the script I wrote a year or so back?
It does something very similar to the code I looked at.
It's designed to operate on a intermediate source rule file with non-obfu rules
such as:
body FOOBAR /\bfoobar\b/i
desc FOOBAR find annoying foobar spam
and generate a final rules file with obfu detection such as:
body LOCAL_OBFU_ONLY_FBR
/(?!\bfoobar\b)(?:\bf|\B\xC5\xBF|\xC6\x92|\xD2[\x92-\x93])[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[b8\xDF]|\xCE\x92|\xCE\xB2|\xD0\x92|\xD0\xB2[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[EMAIL
PROTECTED]|\/\\|\xC4[\x80-\x85]|\xC7[\x8D-\x8E]|\xC7[\xBA-\xBB]|\xCE\x86|\xCE\x91|\xCE\x94|\xCE\x9B|\xCE\xAC|\
xCE\xB1|\xD0\x90|\xD0\xB0[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:r\b|[\xAE]|\xC5[\x94-\x99]|\xD1\x93\B)/i
desc LOCAL_OBFU_ONLY_FBR find annoying foobar spam
However, it could easily be ported to a plugin to generate rules on the fly,
methinks. I put together a pretty decent character replacement map you are free
to use (in the source). There are numerous options to control how aggressive
the rules generated are. It's done very well catching obfuscated words for me.
Here is the source to the script: http://sandgnat.com/cmos/obfu.pl
You can test it out via a cgi to see if you think it is worthwhile:
http://sandgnat.com/cmos/cmos.jsp
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
