On Fri, 27 Feb 2004 16:41:00 -0500, Alton Danks wrote: > Hello, > > I'm seeing some SPAM that has odd href tags like the following: > > align="center"><a hrefShanghaishref=http://cowerers.com href= > > "http://www.nungim.com/?ai=7030 "> > <img border="0" src= > > "http://www.olivegrovetree.com/0/11/11-2.jpg"; </a></p> > > I'm not sure what the spammer gains by the odd href tag, but I > would like to > create a rule to catch it when it is used. > > I've tried: > > rawbody CTS_HREF /\bhref[a-z]\b/i > > rawbody CTS_HREF /\Whref[a-z]\W/i > > and the same with body instead of rawbody - > > with no results.
Hi, I think the final \b and \W will cause it not to match since there is more than one character after the href. > Ideally the rule would look for href followed by anything other > than = or > space. > > Al You could try: rawbody CTS_HREF /\Whref[^ =]/i I don't know if it may cause FP's, but it should do as you ask. Kind regards, Mat
![http://www.olivegrovetree.com/0/11/11-2.jpg"](http://www.olivegrovetree.com/0/11/11-2.jpg"){kind=link}