On Sat, 8 Jun 2013 04:13:13 -0700 William Thackrey wrote: > We've been getting a ton of spam recently that consists only of a > single sexually explicit link description to an innocuous URI. > Here's one of the least offensive examples. Most are very crude. > > <div><a > href="http://prayerdancing.ru/15e595b9214bde2904c39f044cc4ec5a/arQE.html";>Anime > cartoon slut gets censored hardcore</a></div> > > I've written a rule which fires on this content - at least the regex > works in my regex testing tool. > > body > SEX_IN_URI > /href.{0,100}(various|sexually|explicit|target|words|here|censored|etc)/i > describe SEX_IN_URI Sexually explicit wording in href > > It doesn't seem to be working in Spamassassin (3.3.2, Perl 5.10.1, > Scientific Linux 6.2). Can anyone tell me if I have the syntax > wrong? Or does a body test not look into HTML?
The latter. I think what you need is a uri_detail test http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html Traditionally this would have been done with rawbody test, but it's better to avoid those if possible.
