Dear Shane, Have you had a look at the uri_detail plugin? You should find interesting info there:
perldoc Mail::SpamAssassin::Plugin::URIDetail I guess you should be able to do what you want with this plugin. But I rarely use it, so I can't help you further. In order to catch those mismatch that you mention, I rather use the phish sigs from ClamAV, which is very convenient to use. https://www.clamav.net/documents/phishsigs Lastly, as Bill Cole mentioned, you will have a lot of false positives. You should curate a list of commonly abused URI and only try to catch those. There are too many ESP rewriting links (for tracking purposes)... There are even banks using those ESP... Best, Laurent On 15.07.20 00:02, Shane Williams wrote: > > I'm looking to detect a mismatch between the domain in the href > property of a URI and a domain in the anchor text itself. It seems > like this is the right place for a negative lookbehind, and I don't > mind writing my own rule, but I can't help thinking that this has been > solved already. Searching the list for lookbehind comes up with a > couple of instances of people getting errors (about a variable length > lookbehind), but I'm not finding anything like what I'm looking for. > > Does anyone have a sample rule for this, or other suggestions on how > to detect this is in SA (maybe a plugin)? > > -- > Public key #7BBC68D9 at | Shane Williams > http://pgp.mit.edu/ | System Admin - UT CompSci > =----------------------------------+------------------------------- > All syllogisms contain three lines | sha...@shanew.net > Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew >
