On Wed, 2011-06-08 at 07:53 -0700, John Hardin wrote:
> How about this (untested):
>
> header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PT])[a-z]{1,3}[A-Z][a-z]{2}/
> tflags __SUBJ_BROKEN_WORD multiple
> meta __SUBJ_BROKEN_WORDS __SUBJ_BROKEN_WORD > 2
>
I tested this as well as my own variant:
describe MG_SPLIT322 Two or more words obfuscated with a "xxx xx xx"
split
body __MG_SPL322 /\b[a-z]{3} [a-z]{2} [a-z]{2}\b/i
tflags __MG_SPL322 multiple
meta MG_SPLIT322 __MG_SPL322 > 2
score MG_SPLIT322 4
against a private collection of 491 spam messages which I use to test my
private rules.
I got 8 FPs (1.6%) with either regex because both hit on fairly common
text such as "Log in to", "rolling out up to", "want you to be" and "and
so on", so it should either be used with a fairly small score or as part
of a meta rule. I'm currently keeping it in my rule set, but scored at
1.5
Martin
