> rawbody LR_IMAGE_TAGGED_ASP =~ /\<img width\=1 height\=1
> src\=.*\.asp.*/i
There are a couple of things to consider here. The first is that rawbody
only gives the rule a single physical line of the message, so if the target
you are looking for spans lines the rule will never hit. If your target is
most always on a single line you will be ok with rawbody. Sometimes you can
get around this using 'full' instead of rawbody; but full messages won't be
base64 and suchlike decoded.
You don't need the backslash before the = sign, but it won't hurt.
The area after src= is potentially of concern, both for efficiency and
possible false positives.
Looking for .* is almost always a bad idea, since this can take forever in
certain cases based on the incoming message format. You would be better off
limiting the size of the search: src=.{15,36}, for instance. Even better
would be to limit what you are searching for. This is probably a cid or
url, so will have a limited character set. Perhaps something like
src=(?:cid:|http:\/\/)[\w\.\-]{10,40} to get past the first part.
The check for the asp suffix itself is a little dangerous as you have it
coded. It will hit on ".asp" followed by anything: .asppy, for instance.
Since what you want is at the end of the url or file name, you really don't
want another word-character showing up after the asp. Also, you really
don't care what else might show up after that (other than not being a word
character) so .* at the end of the re buys you nothing except another time
sink. A better choice might be \.asp\b or \.asp\W. These will insure that
you have asp with a non-word character after it. Of course, you would also
like to be sure there isn't a dot after it; ie: it really is the end of the
name. So \.asp[^\.\w] might be a good choice.
Putting it all together, you might end up with something like
/\<img width\=1\sheight\=1>\ssrc\=[\'\"]?[\w\.]{5,40}\.asp[^\w\.]/i
The \s will allow any number of spaces (or tabs) between the elements, and
there is also a conditional check to allow some sort of quoting around the
file name.
Loren
