How to search the whole body - SpamAssassin

This is a discussion on How to search the whole body - SpamAssassin ; Hi all, relaxing from my hassle with the new machine.... I'd like to set up a rule catching multiple dollar-signs in a message, I don't see any other way to catch those heavily "encrypted" pill-emails like this: C A aN ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: How to search the whole body

  1. How to search the whole body


    Hi all,

    relaxing from my hassle with the new machine....

    I'd like to set up a rule catching multiple dollar-signs in a message, I
    don't see any other way to catch those heavily "encrypted" pill-emails like
    this:

    C A aN A DvAN P c cH A RM A oCY

    VzA zG _RA - $1.48
    C 9a A L u S - $2.24
    S0 O M A - $0.65

    My idea was to ring the bell, when the dollar-sign appears more than four
    times in a single email. As a bayes_00 rule marks it with a -2.5 score I am
    clueless what else to do about them. /\${3,}/ oviously won't work


    TIA

    P.
    --
    View this message in context: http://www.nabble.com/How-to-search-...p19392593.html
    Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


  2. Re: How to search the whole body

    Hi Patrick,

    > relaxing from my hassle with the new machine....
    >
    > I'd like to set up a rule catching multiple dollar-signs in a message, I
    > don't see any other way to catch those heavily "encrypted" pill-emails like
    > this:
    >
    > C A aN A DvAN P c cH A RM A oCY
    >
    > VzA zG _RA - $1.48
    > C 9a A L u S - $2.24
    > S0 O M A - $0.65
    >
    > My idea was to ring the bell, when the dollar-sign appears more than four
    > times in a single email. As a bayes_00 rule marks it with a -2.5 score I am
    > clueless what else to do about them. /\${3,}/ oviously won't work


    I am not a real expert in SA rules but what about

    body RULE_NAME /(?:\$.{0,100}){3,}/

    Untested! The number of 0 respectively max. 100 characters between the
    dollar-signs is a little bit arbitray. Also it may be meaningful to
    restrict the type of the arbitrary characters. For "more than four"
    matches within the body (as required in your text) replace 3 by 5.

    Greetings

    Jens

    --
    T-Systems Solutions for Research GmbH
    Solutions & Innovations Commercial ICT, Internet- & Intranet-Appl.
    Dr. Jens Schleusener
    Bunsenstr. 10, D-37073 Göttingen
    +49 551 709-2493 (Tel.)
    +49 551 709-2169 (Fax)
    E-Mail: Jens.Schleusener@t-systems.com
    Internet: http://www.t-systems.com

+ Reply to Thread