BODY 15 PCRE (http://.{3,60}(\.com\.).{3,60}?(\.[a-z]{2,4}/))
This is a regular expression. This is a little more complicated than a straight filter but essentially I am looking for any URL that has a .com in the middle and then ends with a different domain extension. It will match on this: http://session-2825275860.nationalcity.com.juuje.io/ If you had to do a standard filter I would do something like: BODY 5 CONTAINS http://session- BODY 10 CONTAINS .io/ Some examples of matches (not sure of the levels on FP's yet) 05/15/2007 15:06:57.587 23622263 Triggered BODY PCRE filter FILTER-PHISH : http://session-401758.nationalcity.com.bigj.at/ 05/15/2007 15:16:09.618 23622319 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-64236.regions.com.usersetup.cn/ 05/15/2007 16:15:39.587 23622721 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-0330189132.regions.com.usersetup.tw/ 05/15/2007 16:20:45.383 23622746 Triggered BODY PCRE filter FILTER-PHISH : http://session-10067.nationalcity.com.portfast.cn/ 05/15/2007 16:37:59.774 23622859 Triggered BODY PCRE filter FILTER-PHISH : http://interactsession-644893.regions.com.usersetup.io/ 05/15/2007 16:56:21.071 23622995 Triggered BODY PCRE filter FILTER-PHISH : http://session-8434556.nationalcity.com.05server.cn/ David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
