Re: Porn rules to share?

[Martin Gregorie]

On Sun, 2011-11-27 at 10:40 -0500, Kevin A. McGrail wrote:
> On 11/27/2011 10:24 AM, Sergio wrote:
> >
> > I want to thank you KAM for the share of his rules, I have learned a 
> > lot looking on them and thanks to that I have modified the rules that 
> > I had to make them more easy to work, the arithmetic on the rules with 
> > the operand "+" is working really nice I have joined a lot of rules 
> > and make them active with ">=1" so if any of the rules on the group 
> > applies then the rule is triggered.
> You are welcome.  As you can see, my focus with content-based rules is 
> to try and use meta rules almost exclusively to minimize FPs.
> 
> > With the porn rule that I have,  it is working but it still left spam 
> > of this type pass, the score line that I wrote on the email had a typo 
> > that is not in my working rule and my major concern is in the garbled 
> > words like:
> >
> > S:C H #O+O L "G l, R%L P *0 *R N*
> > T\E /EN"S} P)0_R \N
> > S:C H #O+O L "G l, R%L P *0 *R N*
> > G ,RA _N N}Y } P %0 ~R |N \
> > P,0_ R .N PI ~C}T+U-R(E%S.
> > TR %A *N #S S. E. X{UA`L P&0/R N_
> >
> > What it will be the best way to catch any type of garbled word?
> Those could hard because you can get some false positives pretty quickly.
> 
> If this is JUST on the subject header, it might be ok to look at a rule 
> like:
> 
> P.{0,2}[0o].{0,2}R.{0,2},N.*{0,2}
> 
> That looks like it might hit on all the variants above but I wouldn't 
> score it too high.
> 
This should also work. It matches all your example headings and is
general enough to match almost any subject line that uses this type of
obfuscation:

header RULENAME Subject =~ /([A-Z][^A-Z]{1,2}){3,}/

The number of adjacent match groups needs to be exactly 3: setting it
higher causes some of your examples to be missed. Setting it lower
starts to generate FPs on inoffensive subject lines.

Caution: I developed this regex using grep with the -P option to scan a
text file containing one of your subject examples per line plus the
following normal subject lines. It hit all the example subjects you
provided and did not hit either of:

        Unspaced title
        CAPITALLISED TITLE

but has not been tested as part of an SA rule.


Martin