I just got an email that hit the following:
* 2.0 SPOOF_COM2OTH URI: URI contains ".com" in middle
* 2.3 SPOOF_COM2COM URI: URI contains ".com" in middle and end
* 2.5 SARE_SPOOF_COM2OTH URI: a.com.b.c
* 2.5 SARE_SPOOF_COM2COM URI: a.com.b.com
Did the SARE_SPOOF rules get included in the base ruleset while I wasn't
looking?
The rule definitions are almost the same.
uri SARE_SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
uri SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2}}i
uri SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
uri SARE_SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2,}}i
--
Bowie
