On Wed, 17 Apr 2019 14:00:26 +0100 RW wrote: > On Wed, 17 Apr 2019 08:44:32 -0400 > buy wrote: > > > Hi, > > > > I've been encountering spammers putting whitespace in the > > domain area of a url. My rule is not catching them. > > ... > > Spamassassin rule looks like this (NO MATCH): > > -------------------------------------------- > > uri NC_SPAM292 /https?\:\/\/(?:\w*\.)*\s*miwilurt\.\s*com\// > > score NC_SPAM292 50 > > presumably it either hasn't been parsed as a uri or the spaces have > been removed.
I see it uses \s* so it's not going to be the latter > Try a body or rawbody rule.
