Hello,
We received a new type of spam, twice, and we are not willing to give them a
third chance.
The body includes a long html paragraph (<p>...</p>) of headlines from the news.
The following works at the command line:
perl -p0e 's/(<p>(?:(?!<\/p>).){999,}<\/p>)/-->$1<--/msig' example.eml
perl -n0e '/(<p>(?:(?!<\/p>).){999,}<\/p>)/msig and print "--->$1<---"'
example.eml
The following SA rule, however, does not work at all:
rawbody __B_PLL /<p>(?:(?!<\/p>).){999,}<\/p>/msi
tflags __B_PLL multiple maxhits=1
meta B_PLL __B_PLL
describe B_PLL Body: Paragraph Length Limit
score B_PLL 1.0
I would be most grateful if you could spot the but in the above rule.
