On Sun, Nov 27, 2011 at 9:40 AM, Kevin A. McGrail <[email protected]> wrote:
> On 11/27/2011 10:24 AM, Sergio wrote:
>
>>
>> I want to thank you KAM for the share of his rules, I have learned a lot
>> looking on them and thanks to that I have modified the rules that I had to
>> make them more easy to work, the arithmetic on the rules with the operand
>> "+" is working really nice I have joined a lot of rules and make them
>> active with ">=1" so if any of the rules on the group applies then the rule
>> is triggered.
>>
> You are welcome. As you can see, my focus with content-based rules is to
> try and use meta rules almost exclusively to minimize FPs.
>
>
> With the porn rule that I have, it is working but it still left spam of
>> this type pass, the score line that I wrote on the email had a typo that is
>> not in my working rule and my major concern is in the garbled words like:
>>
>> S:C H #O+O L "G l, R%L P *0 *R N*
>> T\E /EN"S} P)0_R \N
>> S:C H #O+O L "G l, R%L P *0 *R N*
>> G ,RA _N N}Y } P %0 ~R |N \
>> P,0_ R .N PI ~C}T+U-R(E%S.
>> TR %A *N #S S. E. X{UA`L P&0/R N_
>>
>> What it will be the best way to catch any type of garbled word?
>>
> Those could hard because you can get some false positives pretty quickly.
>
> If this is JUST on the subject header, it might be ok to look at a rule
> like:
>
> P.{0,2}[0o].{0,2}R.{0,2},N.*{**0,2}
>
> That looks like it might hit on all the variants above but I wouldn't
> score it too high.
>
> The odd part is that I'm not really seeing these spams slipping through so
> I have very little corpora to compare. I usually hammer the sexually
> explicit spams pretty hard.
>
> I wonder if you need to invest more time in setting up some RBL tests?
> Are you using any RBLs right now?
>
> Regards,
> KAM
>
Yes, I use the usually RBLs includijg NEWSPAMHAUS, I have 4 RBLs in my
FireWall. Also, I have collected 400 IPs that are blocked in my FireWall.
I will give it a try on your definition and check how it works, thanks..
Sergio
