> So my rule:
> # hotmail drug spam
> uri MY_HOTMAIL_SPAM
> m{https?://{1,30}\.{1,30}\.(com|ru|cn)/[0-9][0-9][0-9][0-9]/i}
> describe MY_HOTMAIL_SPAM Druggy hotmail.com links
> score MY_HOTMAIL_SPAM 5.0
>
> And running emails through it using -D, it does not hit it as far as
> I can tell - scores 3.5 due to other tests.
> Yes, it IS reading it cause if I mess with the rule and make it have
> bad syntax, SA --lint complains loudly. Right now, no complaints -
> and no results.
> Any ideas? Suggestions?
//{1,30} matches a slash, followed by 1-30 more slashes.
\.{1,30} matches 1-30 periods.
I think you forgot a \S or something before each of those. Also,
[0-9]{4} would do what you want for numeric component. And I think you
want the i *after* the bracket, no?
Mike.
