On 14.10.11 18:07, dar...@chaosreigns.com wrote:
Existing rule:
rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\#
:\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
How about this, to only check for a changed domain part instead?
rawbody SPOOFED_URL_DOMAIN /<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:\/\/?[^\/>"'\#
]{8,29})[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
It matches this:
<a href="http://www.chaosreigns.com/";>http://www.example.com</a>
But does not match this (example from actual non-spam):
<a
href="http://www.jr.com/tracking?ord_q_num=105725494&ord_q_zip=03076";>http://www.jr.com/tracking</a>
A very simplified form of this new one:
rawbody SPOOFED_URL_DOMAIN /<a href="(https?:\/\/[^\/">]+)[^>]*>(?!\1)http/i
That "(?!\1)" bit is nice and fancy. It means "not what was in the first
set of parentheses). In the perlre man page: "A zero-width negative
look-ahead assertion."
Very nice, however due to these and other circumstances mentioned I
think that a plugin would be better, since it could define where to
skip host name (and up to which level) and e.g. it could define whitelists
- who can spoof who, e.g. which mail company may "spoof" which bank.
However until then, this should still be worth trying.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
