Jeff Chan wrote:
Is there an SA rule to detect URIs that have ridiculously large numbers of subdomain levels? If not, perhaps it could be useful (perhaps even more useful than wildcard DNS). Note that it may not be feasible to resolve domains found in message body URIs to even detect wildcards.
It's easy enough to write one - I've been using a rule here for months that triggers on 6 or more levels (5 levels gave too many FPs). It hit up to 2.5% of my spam six months ago, though that rate has dropped to about 1.2% in recent months.
John. -- -- Over 2500 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr
