On Fri, 2009-07-10 at 17:11 +0200, Sim wrote:
> >>>
> >>>
> >>> /\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> >>
> >> ^
> >> John,
> >>
> >> Thanks a lot for rule update! It works fine. I can say it's nearly
> >> perfect, because it missing only one small back-slash :) Please look
> >> above.
> >
> > D'oh!
> >
> > That, plus some other fixes:
> >
> > /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> >
>
>
> Hello world ;-)
>
> I'm using it without good results for this format:
>
> bla bla www. site. net. bla bla
>
> Have you any idea?
> Regards
Yes, remove the outer parentheses.
Here are the rules I am using:
body AE_MEDS35 /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00
body AE_MEDS38
/\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS38 rule to catch next wave of obfuscated domains
score AE_MEDS38 1.0
body AE_MEDS39
/\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe AE_MEDS39 rule to catch still more spam obfuscation
score AE_MEDS39 4.0
AE_MEDS38 finds domains with spaces in them, and AE_MEDS39 finds domains
with dots and spaces. You might want to bump up the score on AE_MEDS38,
but I haven't had a false negative that would have benefited from it in
a while, so I haven't bothered.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
