Mailing List Archive

I'm trying to flag a type of spam that seems to be slipping through with
a very low score

The common factor is that all of the messages have something linke

Just type www [.] pillking [.] org
Just type <FONT color=#ff0000>www</FONT> [.]
<STRONG><FONT color=#ff0000>pillking</FONT></STRONG> [.] <FONT
color=#ff0000>org</FONT></FONT>

Just type www [dot] pilldoc [dot] org

I suspect a rule that looks for "www*pill*org" would work. How do I turn
that into a regex?

On Tue, 10 Apr 2007, Steven Stern wrote:

> Just type www [.] pillking [.] org
> Just type <FONT color=#ff0000>www</FONT> [.]
> <STRONG><FONT color=#ff0000>pillking</FONT></STRONG> [.] <FONT
> color=#ff0000>org</FONT></FONT>
>
> Just type www [dot] pilldoc [dot] org
>
> I suspect a rule that looks for "www*pill*org" would work. How do I turn
> that into a regex?

Perhaps something like:

body OBFUSC_PILL_URI /\bwww\b.{3,50}\bpill.{3,50}\borg\b/i

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the business of government to make men virtuous or
religious, or to preserve the fool from the consequences of his own
folly. -- Henry George
-----------------------------------------------------------------------
3 days until Thomas Jefferson's 264th Birthday

Steven Stern wrote:
> I suspect a rule that looks for "www*pill*org" would work. How do I turn
> that into a regex?

Basic: /www.*pill.*org/
Slightly optimized: /www.{1,30}pill.{1,30}org/

. matches any character.
* means anywhere 0 or more of the preceding item, so
.* matches 0 or more of any character.
{X,Y} means anywhere from X to Y of the preceding item.

You don't want to use .* in a SA rule, though, because if it matches
"www" it'll keep looking for a long time until it finds "pill" or runs
out of text to look at. .{1,30} will match 1 to 30 of any character in
a row, so if it finds "www" it will only look through 30 characters for
"pill"

You can also make it more specific, matching things only at word
boundaries, etc.

There's a good tutorial and reference at www.regular-expressions.info --
one of the few legit .info names I've seen.

--
Kelson Vibber
SpeedGate Communications <www.speed.net>

On Tue, 10 Apr 2007, John D. Hardin wrote:

> On Tue, 10 Apr 2007, Steven Stern wrote:
>
> > Just type www [.] pillking [.] org
> > Just type <FONT color=#ff0000>www</FONT> [.]
> > <STRONG><FONT color=#ff0000>pillking</FONT></STRONG> [.] <FONT
> > color=#ff0000>org</FONT></FONT>
> >
> > Just type www [dot] pilldoc [dot] org
> >
> > I suspect a rule that looks for "www*pill*org" would work. How do I turn
> > that into a regex?
>
> Perhaps something like:
>
> body OBFUSC_PILL_URI /\bwww\b.{3,50}\bpill.{3,50}\borg\b/i

Actually, body matches strip out HTML markup so you could tighten it
up a bit:

body OBFUSC_PILL_URI /\bwww\b.{3,10}\bpill.{3,15}\borg\b/i

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Think Microsoft cares about your needs at all?
"A company wanted to hold off on upgrading Microsoft Office for a
year in order to do other projects. So Microsoft gave a 'free' copy
of the new Office to the CEO -- a copy that of course generated
errors for anyone else in the firm reading his documents. The CEO
got tired of getting the 'please re-send in XX format' so he
ordered other projects put on hold and the Office upgrade to be top
priority." -- Cringely, 4/8/2004
-----------------------------------------------------------------------
3 days until Thomas Jefferson's 264th Birthday

On Tue, Jun 06, 2023 at 12:12:10AM -0400, Bill Cole wrote:
>
> Escape the @ with a \
> SA uses Perl, so you need to escape %, @, and $ in regular expressions.

Perl regular expressions does not mean it's parsed as Perl code, no need to
quote such things on any remotely modern SA version.

On 2023-06-06 at 01:32:14 UTC-0400 (Tue, 6 Jun 2023 08:32:14 +0300)
Henrik K via users <hege@hege.li>
is rumored to have said:

> On Tue, Jun 06, 2023 at 12:12:10AM -0400, Bill Cole wrote:
>>
>> Escape the @ with a \
>> SA uses Perl, so you need to escape %, @, and $ in regular
>> expressions.
>
> Perl regular expressions does not mean it's parsed as Perl code,

Correct, but for some time in the past, rule regexes were treated as
double-quoted strings. The artifacts of that history remain in the
default rules channel.

> no need to
> quote such things on any remotely modern SA version.

I stand corrected. Clearly I did not notice this improvement when it
happened.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire