Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

FB_SOFTTABS [in 72_active.cf] suggestion

  

 
SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


ned at unixmail

Oct 10, 2008, 9:40 AM

Post #1 of 2 (132 views)
Permalink
FB_SOFTTABS [in 72_active.cf] suggestion
Hi,

I'm seeing quite a few spam lately with the string "S0ftTabs" (hits 134
spam (5.8%) in a spam corpus of 2300 from the last week).

This isn't detected by the current FB_SOFTTABS rule due to obfuscation
of the "o" with "0", but otherwise would be.

The current rule looks like:

body FB_SOFTTABS /\bsoft\s?t?abs\b/i
describe FB_SOFTTABS Phrase: Softabs

Would it be possible to test it with also detecting the obfuscation as I
don't believe that should hit any more ham than the current rule and
should increase detection for current spam. Maybe something like:

body FB_SOFTTABS /\bs(o|0)ft\s?t?abs\b/i
describe FB_SOFTTABS Phrase: Softabs

I don't know if it would also be worth checking (a|@) at the same time
although I see no hits against "t[at]bs" at present.

Also, being relatively new to this list, is it best to air suggestions
such as this here first for discussion or should I just go ahead a file
a bug report?

Regards,

Ned


jhardin at impsec

Oct 10, 2008, 10:19 AM

Post #2 of 2 (122 views)
Permalink
Re: FB_SOFTTABS [in 72_active.cf] suggestion [In reply to]
On Fri, 10 Oct 2008, Ned Slider wrote:

> Would it be possible to test it with also detecting the obfuscation as I
> don't believe that should hit any more ham than the current rule and should
> increase detection for current spam. Maybe something like:
>
> body FB_SOFTTABS /\bs(o|0)ft\s?t?abs\b/i
> describe FB_SOFTTABS Phrase: Softabs
>
> I don't know if it would also be worth checking (a|@) at the same time
> although I see no hits against "t[at]bs" at present.

Is there some reason this doesn't use replacetags?

body FUZZY_SOFTTABS /\b<S><O><F><T><SP>?<T>?<A><B><S>\b/i
describe FUZZY_SOFTTABS Attempt to obfuscate words in spam
replace_rules FUZZY_SOFTTABS

It looks like there's a lot of FB_ rules that could benefit from
replacetags - is there some reason SA isn't relying more heavily on it?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin[at]impsec.org FALaholic #11174 pgpk -a jhardin[at]impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We have to realize that people who run the government can and do
change. Our society and laws must assume that bad people -
criminals even - will run the government, at least part of the
time. -- John Gilmore
-----------------------------------------------------------------------
25 days until the Presidential Election

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.