Not relevant to the subject. We're talking about where somebody is maliciously making you think you're clicking on "www.youtube.com" when in fact you're clicking on "www.ILikeSpam.com".
Somebody linking to one domain with an image hosted on another domain has plenty of possibility to be legit. You could do it. You're welcome to try. Maybe it'll even hit a usefully larger percentage of spam than ham. But it's not what we've been talking about. On 10/14, Christian Grunfeld wrote: > you should be able to check against img src content, right? > > > 2011/10/14 Christian Grunfeld <[email protected]>: > > and what about when there is no anchor text in the link ? eg. paypal > > image button > > > > > > 2011/10/14 <[email protected]>: > >> Existing rule: > >> > >> rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# > >> ]{8,29}[^>"'\# > >> :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i > >> > >> > >> How about this, to only check for a changed domain part instead? > >> > >> rawbody SPOOFED_URL_DOMAIN > >> /<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:\/\/?[^\/>"'\# > >> ]{8,29})[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i > >> > >> It matches this: > >> > >> <a href="http://www.chaosreigns.com/";>http://www.example.com</a> > >> > >> But does not match this (example from actual non-spam): > >> > >> <a > >> href="http://www.jr.com/tracking?ord_q_num=105725494&ord_q_zip=03076";>http://www.jr.com/tracking</a> > >> > >> > >> A very simplified form of this new one: > >> > >> rawbody SPOOFED_URL_DOMAIN /<a > >> href="(https?:\/\/[^\/">]+)[^>]*>(?!\1)http/i > >> > >> That "(?!\1)" bit is nice and fancy. It means "not what was in the first > >> set of parentheses). In the perlre man page: "A zero-width negative > >> look-ahead assertion." > >> > >> -- > >> "Every normal man must be tempted at times to spit upon his hands, > >> hoist the black flag, and begin slitting throats." > >> - Henry Louis Mencken (1880-1956) > >> http://www.ChaosReigns.com > >> > > > -- "Every normal man must be tempted at times to spit upon his hands, hoist the black flag, and begin slitting throats." - Henry Louis Mencken (1880-1956) http://www.ChaosReigns.com
