MySQL Student wrote:
> Hi all,
>
> I've seen this pattern in spam quite a bit lately:
>
>
<snip - URI that verizon won't let me send>
> Would it be reasonable to create a rule that looks for this two-char
> then dot pattern, or is it reasonable that it might appear in a
> legitimate email too frequently? If possible, how would you create a
> rule to capture this?
>
This rule should detect 10 consecutive occurrences.
uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10}
I do think that 4-in-a-row might be pretty common (ie: IP addresses),
but 10 in a row seems unlikely.
Warning: I wrote this quickly without too much thought. It may have
bugs, but I'm short on time at the moment.
