> Is there an SA rule to detect URIs that have ridiculously large
> numbers of subdomain levels? If not, perhaps it could be useful
> (perhaps even more useful than wildcard DNS). Note that it may
> not be feasible to resolve domains found in message body URIs
> to even detect wildcards.
There might be one, although I can't think of it at the moment. I'm pretty
sure I experimented with that at some point in time, and I don't recall that
it had sterling results.
In actual fact, most of the uri's I've been seeing recently are quite short,
and usually lacking a type tag. Things like airmx.com.
Over the last couple of months the best trivial test was not for an
improbable number of levels, but for improbable name lengths. However, that
is changing.
Loren
