On 04/21/2011 03:55 PM, Kevin Miller wrote: > Thanks (also to Martin who replied). I posted one of the spams here: > http://pastebin.com/9aBAxR7m > > You can see the long series of break codes in it.
Yes I can. I can also see several other diagnostic bits in it, such as the domain: http://www.siteadvisor.com/sites/regionstargpsupdates.com How about this rule instead: blacklist_from *@regionstargpsupdates.com It's much faster and, given the report of the domain being that of a spammer, much much safer. > Sorry for the confusion on the 10.10.10.10 - that isn't part of the > spam, it was just a handy file for testing since it had a repeating > string in it. It was a faulty test since '[10.]{3}' will match '10.10.10.10' but not in the way that you think; it matches the first three characters and will therefore also match the string '110.64.323.6' > I did get it to work from the CLI, and wrote the following rule: > > body CBJ_GiveMeABreak /\["<br>"]{5,}/ > describe CBJ_GiveMeABreak Messages with multiple consecutave break > characters > score CBJ_GiveMeABreak 0.01 That will not match your sample. Please re-read my message. The regex is wrong and the rule type (body) is wrong. > I know it may trigger on some ham which is why I set the initial > score to 0.01. Better ideas are most welcome though!
signature.asc
Description: OpenPGP digital signature
