Hello,

I've discovered something... all of our samples of the Yahoo spam contain
a text/plain part that contains something like this:

http://www.majormedicaladvice.com/gfrqcov/ktr.2dd0ifqv?kj82bw2/25/2013 2:58:33 
PMKaryn Armstrong

That is, the target URL is immediately followed by the date, a space,
the time, "AM" or "PM" and then the fake sender's name with (no space
between AM/PM and the name.)

I'm guessing an SA rule like this:

body YAHOO_SINGLELINE /http:\/\/\S{1,90}\d{1,2}\/\d{1,2}\/\d{4} 
\d{1,2}:\d{1,2}:\d{1,2} [AP]M/

might work.  Untested, though...

Regards,

David.

Reply via email to