I wrote these rules last week that stop em fast, even before the URIBL's kick in.
# This will fire if 2 or more are found rawbody __DRUGS268A /^V$/i rawbody __DRUGS268B /^I$/i rawbody __DRUGS268C /^C$/i rawbody __DRUGS268D /^E$/i rawbody __DRUGS268E /^33$/i rawbody __DRUGS268F /^\=20$/i meta DRUGS268 (( __DRUGS268A + __DRUGS268B + __DRUGS268C + __DRUGS268D + __DRUGS268E + __DRUGS268F) > 1) score DRUGS268 105.5 describe DRUGS268 Disguised Drug Message rawbody URL52 /\.....\.org\/(?:..|...)\//i score URL52 6.5 describe URL52 Short Drug URL rawbody URL52a /\......\.org\/(?:..|...)\//i score URL52a 6.5 describe URL52a Short Drug URL rawbody URL52b /\.......\.org\/(?:..|...)\//i score URL52b 6.5 describe URL52b Short Drug URL rawbody URL52c /\........\.org\/(?:..|...)\//i score URL52c 6.5 describe URL52c Short Drug URL
