Would somebody please mass-check the following rule set
and let me know if there's any collateral damage?
I whiped them up to deal with a new flavor of spam that I'm
seeing more of these days.
rawbody L_FAKE_HREF /\w\whref=http:/i
describe L_FAKE_HREF Faked href to hide spammer URLs
score L_FAKE_HREF 1.0
full L_SPLITFONT1 /<font color=\n\n"?\#[a-f]\w[a-f]\w[a-f]\w"?>/i
describe L_SPLITFONT1 HTML bright font color tag split by blank lines
score L_SPLITFONT1 1.0
meta L_HTML_OBFU ( L_SPLITFONT1 && L_FAKE_HREF && HTML_MESSAGE )
describe L_HTML_OBFU HTML spam with obfuscated bright colored font
score L_HTML_OBFU 5.0
The scores were semi-arbitrarily chosen so any suggestions on
improving those would also be welcome.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
