John Hardin wrote:
On Wed, 3 Nov 2010, Kris Deugau wrote:
DNSBLs are pretty much useless, since the message *was* legitimately
relayed in from Hotmail.
A couple of times I've seen enough examples with similar enough URLs
to create a uri rule something like:
uri MISC_INFO m|https?://rita..sa..ly\.info/?$|
but the latest batch vary too much.
You're trying to be too selective. How often do you receive a
_legitimate_ email from hotmail referring to a .info website?
Try a meta combining "from hotmail" (or from _any_ freemail domain) with
a uri containing m|://[^/]+\.info/|i
This is correct. The rule would need to address the fact that they do
change the url and we are seeing a lot of this. I created a metarule for
these cases.
