Just to clarify a bit on this, there is the conundrum regarding text or
HTML base64 encoded attachments and other types of attachments where you
want to search the text and HTML stuff in decoded format, but not the
image, application and other MIME types. It is however less common to
obfuscate
> > This was an old, old feature request/bug fix from back in the
> > Scott days, where it was desired not include encoded base64
>
> I requested this as a change long ago for two reasons:
>
> 1) To avoid false positives where search text matches the MIME or UUENCODE
> formatting
>
> 2) To provi
> This was an old, old feature request/bug fix from back in the
> Scott days, where it was desired not include encoded base64
I requested this as a change long ago for two reasons:
1) To avoid false positives where search text matches the MIME or UUENCODE
formatting
2) To provide an instant s
Dave,
This was an old, old feature request/bug fix from back in the Scott
days, where it was desired not include encoded base64 content on BODY
searches (decoded content was desired). The work around for this it to
add a separator to the end of the filter such as a period, comma, space,
tab,
I find the CIALIS on it's own does tend to match on some weird combos more
than the other drugs give this one a try:
BODY5 PCRE
(?im:c.{0,2}[\|li1í\!].{0,[EMAIL
PROTECTED],2}[\|li1í\!].{0,2}[\|li1í\!].{0,2}s+.{0,
30}?(\$\d{1,4}(\.|,)\d{1,4}))
Basically looking for Cialis with s
We can certainly look at doing something like that, currently I am using
this line:
BODYEND CONTAINSContent-Transfer-Encoding: base64
David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Wednesday, March 14, 2007 10:1
also:
Capital Firms
cycle analysis
- Original Message -
From: "Nick Hayer" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, March 14, 2007 8:14 AM
Subject: Re: [Declude.JunkMail] PCRE FILTERING
fyi -
#CIALIS
ANYWHERE 3 PCRE
(?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|
I'm seeing hits in the attachments too.
Triggered ANYWHERE PCRE filter REGEX-KEYWORDS : vHXAH51eG1ujzM (valium)
It would be real nice to be able to search the body without the attachments
like this.
BODYONLY 25 PCRE
(?i:v.{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}[vu].{0,2}m)
B
Yes I noticed that is why I used 3 rather than 5 as for the others, I guess
one way to deal with this would be:
#FP ADJUSTMENTS
ANYWHERE-3 CONTAINSclassifieds
Or
ANYWHEREEND CONTAINSclassifieds
David Barker
Director of Product Management
Your Email secur
fyi -
#CIALIS
ANYWHERE3 PCRE
(?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}s)
This one will false positive onclassifieds
-Nick
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL
10 matches
Mail list logo
