do not match on 123-123_1234 phone numbers

[bigio]

No description provided.

[fkoyer]

Can you provide an example email? Is this format used in legitimate emails?

[jhardin-impsec]

Are there any valid ten-digit phone number formats or cultures where an underscore is allowed or expected as a separator? I would think that using an underscore as a separator is likely an attempt to obfuscate a phone number against naïve pattern matching because a dash is much more likely.

I've seen periods as separators fairly frequently, might also want to work in exclusion of \d{3}\.\d{3}\.\d{4}

As long as we're modifying this rule, I'd suggest that the + and * should be replaced with bounded repetition counts like {1,30} and {,30} to avoid runaway backtracking failures or overly-aggressive false detection of things that don't even look like a phone number.

[bigio]

Can you provide an example email? Is this format used in legitimate emails?

the phone number is of the format 111-111_1111 found on a legitimate email message, probably a typo.

[jhardin-impsec]

Was the use of this meta in scored rules that hit sufficient to push the message score spammy?

[bigio]

Was the use of this meta in scored rules that hit sufficient to push the message score spammy?

the rule was not enough to push the message score high enough but it warns me since I am working on more similar rules

[fkoyer]

__MXG_PHONE_OBFU is a subtest rule so it doesn't contribute to the score at all unless it's used in a meta rule. I would not suggest using it to block messages by itself. There will be false positives due to typos but also if you are using the ExtractText plugin to extract text from images there will be false positives because the OCR software sometimes incorrectly recognizes a zero as the letter O or a one as the letter I.

Regardless, I can't accept your change because it fires on many legitimate numbers including:

• (123) 123 1234
• 123.123.1234