Hello, I've discovered something... all of our samples of the Yahoo spam contain a text/plain part that contains something like this:
http://www.majormedicaladvice.com/gfrqcov/ktr.2dd0ifqv?kj82bw2/25/2013 2:58:33 PMKaryn Armstrong That is, the target URL is immediately followed by the date, a space, the time, "AM" or "PM" and then the fake sender's name with (no space between AM/PM and the name.) I'm guessing an SA rule like this: body YAHOO_SINGLELINE /http:\/\/\S{1,90}\d{1,2}\/\d{1,2}\/\d{4} \d{1,2}:\d{1,2}:\d{1,2} [AP]M/ might work. Untested, though... Regards, David.
