body AE_MEDS35 /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 6.00
I'm using:
body OBFU_URI_WWDD_2
/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|os?rs?g)\b/i
score OBFU_URI_WWDD_2 3.2
describe OBFU_URI_WWDD_2 Body contains www . shop75 . net
Which is the preferred? I'm noticing it isn't now catching "www. ca35. net". I'm not knowledgeable enough about perl to fix this. Suggestions please?
Thanks,
Alex
