Kasper Sacharias Eenberg wrote:
> There's been a rule circulating this mailing list for a couple of weeks.
> This is the latest edition to catch those med-things (afaik).
>
> ----------
> body AE_MEDS35 /\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o
> \s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> describe AE_MEDS35 obfuscated domain in message
> score AE_MEDS35 5.0
> ----------
>
> It works good for me.
> Thanks Kasper, Also the Sanesecurity sigs for Clam catch it (thanks to Steve)
