On Tue, 2010-10-26 at 20:10 +0100, Martin Gregorie wrote:
> On Tue, 2010-10-26 at 10:37 -0700, John Hardin wrote:
> > The OP wasn't clear whether he wanted ten points _per URI hit_. If that's
> > the case, the regex alternatives and meta solutions aren't appropriate and
> > there's no way to avoid one score line per URI rule.
>
> ????? What about 'tflags multiple' as in:
>
> uri RULE /(example.(com|net)|example.org|...)/
> tflags RULE multiple
> score RULE 10
>
> The only (minor) drawback I've found is that the list of firing rules
> can filled with RULE, RULE, RULE,.... by the type of spam that contains
> nothing but tens of lines pushing variations on a theme such as:
tflags multiple can be quite dangerous, though, if it directly results
in a hit. As per your example. Besides possibly flooding the report, it
also can seriously bias the overall score easily.
URI DNSBL hits, for example, do not count how often a domain is in the
spam, but hit once only.
The safest approach for tflags multiple rules is to trigger other rules
based on the number of hits. meta rules explicitly support this.
meta FOO_4 __TFLAGS_MULTIPLE_SUB >= 4
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
