On Wed, 17 Apr 2019, RW wrote:
On Wed, 17 Apr 2019 08:44:32 -0400
buy wrote:
Hi,
I've been encountering spammers putting whitespace in the
domain area of a url. My rule is not catching them.
...
Spamassassin rule looks like this (NO MATCH):
--------------------------------------------
uri NC_SPAM292 /https?\:\/\/(?:\w*\.)*\s*miwilurt\.\s*com\//
score NC_SPAM292 50
presumably it either hasn't been parsed as a uri or the spaces have
been removed. Try a body or rawbody rule.
This should help troubleshooting it in debug mode with rule hits logging
enabled:
uri __ALL_URI /.+/
tflags __ALL_URI multiple
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our government should bear in mind the fact that the American
Revolution was touched off by the then-current government
attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
2 days until the 244th anniversary of The Shot Heard 'Round The World
