(Please keep list mail on the list.)
On 11/04/2018 16:15, Kris Deugau wrote: >> Please post the rules you think
should match on this example.
saqariden wrote:
this is my rule:
uri __FR_SHORT_SPAM_URI_1
/(\/[a-zA-Z\d]{1,3}\.php\?[a-zA-Z\d]{3,9})|(\/[a-zA-Z\d]{3,10}\/[a-zA-Z\d]{3,9}\.php\?[a-zA-Z\d]{3,9})/
body __FR_SHORT_SPAM_URI_2
/(\/[a-zA-Z\d]{1,3}\.php\?[a-zA-Z\d]{3,9})|(\/[a-zA-Z\d]{3,10}\/[a-zA-Z\d]{3,9}\.php\?[a-zA-Z\d]{3,9})/
Both of these hit on your example spam for me:
$ spamassassin -D 2>&1 <test1.eml |grep FR_SHORT
Apr 18 12:10:25.137 [24553] dbg: rules: ran body rule
__FR_SHORT_SPAM_URI_2 ======> got hit: "/1xe3c8b3w/gknpdq2gw.php?ZXZlbGluZ"
Apr 18 12:10:25.194 [24553] dbg: rules: ran uri rule
__FR_SHORT_SPAM_URI_1 ======> got hit: "/1xe3c8b3w/gknpdq2gw.php?ZXZlbGluZ"
You'll need to share more detail of how you're testing these for someone
to be able to suggest what's going wrong.
-kgd