Well, I'm not that good with a regexp, so I could well have it screwed up to
do that.
However, the intent is to catch
http://www.ghjlfadsafd=hjkafdsjlffda.com/blah/blah
but not catch
http://www.blah.blah.com/foo?=hithere
So hopefully that second scan will stop at the first slash.
Possibly I could have anchored it to the left side instead of using www. as
an anchor, and maybe caught some more spam. But I can't find anything that
tells me what a left anchor means in a uri clause, or if it will even work.
Originally this was a rawbody scan anchored to "http://";.
However, at this point I wouldn't bother with that rule. For a couple of
weeks it was catching over half my spam, since everything from Taiwan had
that signature. On the day I posted that rule all of the urls from those
sites changed, and it has not since then caught a single spam.
Loren
>If I'm reading that URL_EQUALS rule correctly, it seems that any URL
>with an attribute in the query string will be caught. If that's the
>case, I know I create lots of e-mails with links to asp pages with stuff
>in the query string, so wouldn't that rule be bad.
> LW> uri URL_EQUALS /www\.[0-9a-z\.\_]+\=[0-9a-z\.\_]+/i
> LW> describe URL_EQUALS URL has equal sign in hostname
> LW> score URL_EQUALS 4.4
>
> LW> Thanks,
>
> LW> Loren
>
>
>
