> -----Original Message-----
> From: Bill Larson
> Sent: Friday, December 19, 2003 9:31 AM
>
> Comments and suggestions on this rule are appreciated.
>
> full LOCAL_IEREDIR /[EMAIL PROTECTED](\/|htm|html|php|shtml)?/
> score LOCAL_IEREDIR 150
> describe LOCAL_IEREDIR Possible phishing/URL Masking attempt detected.
Too general, I think. I tried the following:
perl -ne 'print if
s/^.*([EMAIL PROTECTED](\/|htm|html|php|shtml)?).*$/$1/' $MAIL
where $MAIL is my (99.9% ham) inbox with 635 messages. This came up with
seven hits (which of course doesn't count base64 encoded attachments and
such). Things like:
http://go.reachmail.biz/email_forward.asp?spool_id=24173&from_email=gary%40i
ntrepid%2Ecom">[Click here to forward this message to a
friend]</a></font><br><br><table bgcolor="#FFFFFF" cellpadding="2"
width="100%"><tr><td><font face="Arial,Helvetica" size="2"
color="#666666">You are subscribed to this list as <b>gary@
Note that the pattern as I rewrote it will print only the part of each line
that
matched, and that this pattern matches on much more than just the URL
embedded in
the line.
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
