On Sun, 3 Mar 2013, Alex wrote:
Hi,My latest attempt is this: header __RP_D_00040_1 From:addr =~ /yahoo/i header __RP_D_00040_2 To =~ /(:?@.*?){5}/ body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/ meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3 describe RP_D_00040 Yahoo single-line URL spamI'm seeing variations on this that aren't being caught, and I hoped someone could help. I've pasted my example here: http://pastebin.com/ijb0PSep There are more than five recipients, and despite changing it higher, it still doesn't work. The URL in my example is: http-://www.mahmut64.com/nkewyzvy/3yvbqe0s7nab8dyg7udx5k.ki?fq98xcccm (remove the initial dash) I can't figure out how the above URL differs from some of the others that have been caught, such as: http-://www.misbusquedas.com/armn/sac2c9s6ar1azb1hij1r8a.zyy?x1sy9d9zj06u
The number in the domain name? -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r ----------------------------------------------------------------------- 7 days until Daylight Saving Time begins in U.S. - Spring Forward
