On Mon, 9 Jun 2014, Amir Caspi wrote:
On Jun 9, 2014, at 4:25 PM, John Hardin <jhar...@impsec.org> wrote:
On Mon, 9 Jun 2014, Philip Prindeville wrote:
http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
If it's in an HTML anchor tag the URL itself isn't in the "body" text, only the
display label will be.
Try a "uri" rule.
This URL is already in my "AC_SPAMMY_URI" template group, though I don't know
if this particular one has been released or not (I never sent an update since the first
batch a few months ago), and even if so the current version would not have caught it due
to being a bit too restrictive.
Try this:
uri __AC_LONGSTRS_URI /\/[0-9]{8}(?:\/[a-z0-9_~]{50,}){3}\b/
Score as desired (I assign 3 points to all AC_SPAMMY_URI templates, but the
released ones score differently).
--- Amir
Just beware of FPs, I've seen some ugly URLs from things like airline
reservation confirmations. (spammers are getting better at stealing
features from legit messages to protect their garbage).
Also be aware that you cannot set the score for the rule __AC_LONGSTRS_URI
at all (as it's an "indirect" rule and thus scoreless), you'll either
have to rename it or use it in a meta rule.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
