Hi,
>>> header __RP_D_00040_1 From:addr =~ /yahoo/i
>>> header __RP_D_00040_2 To =~ /(:?@.*?){5}/
>>> body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
>>> meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
>>> describe RP_D_00040 Yahoo single-line URL spam
>>
>>
>> I'm seeing variations on this that aren't being caught, and I hoped
>> someone could help. I've pasted my example here:
>>
>> http://pastebin.com/ijb0PSep
>>
>> There are more than five recipients, and despite changing it higher,
>> it still doesn't work. The URL in my example is:
>>
>> http-://www.mahmut64.com/nkewyzvy/3yvbqe0s7nab8dyg7udx5k.ki?fq98xcccm
>>
>> (remove the initial dash)
>>
>> I can't figure out how the above URL differs from some of the others
>> that have been caught, such as:
>> http-://www.misbusquedas.com/armn/sac2c9s6ar1azb1hij1r8a.zyy?x1sy9d9zj06u
>
> The number in the domain name?
I misinterpreted how the rule actually works. Viewing in alpine
doesn't show the name and date, ala "2/27/2013 6:58:01" afterwards.
Now I understand the \d and colons.
My new example just has a bunch of crap afterwards, like:
http-://www.magickspellcraft.com/ddazfep/9tzbvn.jgbm36vlon?vl1j7qpfx0lb5rsnbntm
jwugzcv zwsymhxir.
vsd/
ysvmwtcvp jodij.
vsd/
Alex
