On Mon, 2008-11-10 at 10:11 -0800, dave128 wrote: > the e-mail servers are always different, as are the addresses at the bottom. > the only real "pattern" I can see is that the SPAM always includes > references like this: > > http://fsbonh.com/MxAGpeMvMAvGivpYpYpYexvAiMHOGp > > so each message includes a few references to similar URLs, with slightly > different keys after the domain. the form is like this: > > http://{domain}/{31-character encoded key, mixed upper and lower case > alpha characters} > > has anyone seen this type of spam? is there some way of defining a rule to > add a weight for this?
uri MIXEDCASE_URI_31 /\/\w{31}\b/
score MIXEDCASE_URI_31 2
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
