Thanks! It looks like the uri_detail plug-in is being loaded by default. I'll rewrite the test and try it.
On Jun 8, 2013, at 7:10 AM, RW <[email protected]> wrote: > On Sat, 8 Jun 2013 04:13:13 -0700 > William Thackrey wrote: > >> We've been getting a ton of spam recently that consists only of a >> single sexually explicit link description to an innocuous URI. >> Here's one of the least offensive examples. Most are very crude. >> >> <div><a >> href="http://prayerdancing.ru/15e595b9214bde2904c39f044cc4ec5a/arQE.html";>Anime >> cartoon slut gets censored hardcore</a></div> >> >> I've written a rule which fires on this content - at least the regex >> works in my regex testing tool. >> >> body >> SEX_IN_URI >> /href.{0,100}(various|sexually|explicit|target|words|here|censored|etc)/i >> describe SEX_IN_URI Sexually explicit wording in href >> >> It doesn't seem to be working in Spamassassin (3.3.2, Perl 5.10.1, >> Scientific Linux 6.2). Can anyone tell me if I have the syntax >> wrong? Or does a body test not look into HTML? > > The latter. I think what you need is a uri_detail test > > http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html > > Traditionally this would have been done with rawbody test, but it's > better to avoid those if possible.
