On Wed, 2019-04-17 at 08:44 -0400, buy wrote: > The spam email contains urls that look like this: > ------------------------------------------------- > <a href="https://www. miwilurt. > com/mKC7AeJAmPT5duDOp6rh_aOmQfdpzd_Ewgbm87h8By6313NSjVfHM10dT8MhiBk0X > UB4g9vTUZrRs2U1fJUYCA~~/">click > here</a> > > Spamassassin rule looks like this (NO MATCH): > -------------------------------------------- > uri NC_SPAM292 /https?\:\/\/(?:\w*\.)*\s*miwilurt\.\s*com\// > score NC_SPAM292 50 > Untested, but...
Highlighting my MUA (Evolution) in your message shows the reason your rule fails: the only 'URI' there is https://www. - and its malformed because it ends with a '.'. So, try NC_SPM292 again, but as a body rule, rather than a uri rule and use the same regex. However, it does look too specific to do anything except play wackamole, but mat be useful if you can generalise it to accept any string that starts with http: or https: followed by a string that contains at least two instances of a dot followed by a space. Martin
