Page 60 - Mercury Manual.book
P. 60
55 Content Control
Mercury's Content Control Filtering Language
Example: If Test "HTMLComments 20" weight 51
Garbage This test simply counts the number of characters in the message that are not stand-
ard ASCII characters: if the percentage of non-ASCII characters is higher than the value you
specify, the test will trigger. This test is an almost infallible way of detecting Russian and
Asian spam, but you will need to be careful if you receive legitimate mail from these regions
(we recommend whitelisting senders who might need to send you messages like this). The
parameter to this test is a percentage value of the whole message that must be non-ASCII be-
fore a trigger occurs.
Example: If Test "Garbage 25" weight 51
Other arbitrary tests may be added in future versions of Mercury/32
Negating and linking tests (NOT, AND and OR operators) You can negate a test by using
IFNOT instead of IF: similarly, you can link multiple tests together by using AND, ANDNOT,
OR or ORNOT instead of IF in each test following the first.
Substring matching vs Regular expressions Any test that uses the CONTAINS keyword to per-
form a substring search does a simple string search instead of a regular expression match: this
is a little faster and a little easier to understand than the regular-expression based versions of
the rules. Note that CONTAINS tests are completely literal - no regular expression matching
of any kind occurs. CONTAINS tests are always case-insensitive - so, the strings "foo" and
"FOO" are identical as far as a CONTAINS test is concerned.
Detecting obfuscated text A common trick in spam is to embed unusual characters in words
that commonly trigger anti-spam routines - like "vi@gra", or "pen1s"; indeed, this technique
is now becoming so pervasive that Mercury includes a special keyword just to handle it.
When defining HAS, HASALL or CONTAINS rules, you can add the keyword OBFUSCATED
(you can abbreviate this to OB if you wish) before the WEIGHT keyword in the rule - like this:
IF SUBJECT CONTAINS "viagra" OBFUSCATED WEIGHT 51
This rule will detect any of the following words in the subject line of a message: "viagra",
"v-i-a-g-r-a", "vi@gra", "V 1 -@- G R A" or even "_v$1&@(G*r*A".
If you want to test for a phrase when using the OBFUSCATED keyword, you must enter the
phrase in the rule without spaces: so, if you wanted to check for any obfuscated version of
the phrase "increase the length of", you would have to enter it like this:
IF CONTENT CONTAINS "increasethelengthof" OB WEIGHT 51
Note that you cannot use the OBFUSCATED keyword on a MATCHES test - if you do, Mercury
will simply ignore the keyword and match using the expression you provide.
CAUTION You should exercise a certain amount of caution when using obfuscated tests, be-
cause there is a slightly increased risk of false positive matching (i.e, having two adjacent
words which while harmless on their own, add together to form a trigger word).
Tags Any rule can have a Tag, or a name used to describe it: the tag is used by Mercury when
you have told it to construct a diagnostic header for messages, and is useful when the test that
the rule is performing is either very verbose or very obscure, or when the actual text of the
rule may contain offensive material.
