Hey Folks, We are using SA 3.2.5, MailScanner (Latest) and ClamAV on a Fedora 10 server.
This question is in regards to the latest round of our favorite Hotmail SPAM... Trying to write a rule in local.cf to trap them as 99.9999999% of them have these characteristics in the URLs in the emails (and some are getting through): 1. English URL 2. Double words separated with a '-' 3. Rarely a 'www' at the front - usually 4 or more random letters 4. Always (for now) 4 numbers at the end Example: http://llhti.tour-traveled.com/4651/ And as a PS, they are all new domains registered by/in China. Likely due to China's change in their registrar laws regarding .cn domains - so now we get .com domains instead. Gotta love it. Anyways, I digress! Example email body: Do you identify me on that picture? http://llhti.tour-traveled.com/4651/ Tracy. ## End example (there is also usually an HTML portion too, but I am concentrating on the plain text part) So my rule: # hotmail drug spam uri MY_HOTMAIL_SPAM m{https?://{1,30}\.{1,30}\.(com|ru|cn)/[0-9][0-9][0-9][0-9]/i} describe MY_HOTMAIL_SPAM Druggy hotmail.com links score MY_HOTMAIL_SPAM 5.0 And running emails through it using -D, it does not hit it as far as I can tell - scores 3.5 due to other tests. Yes, it IS reading it cause if I mess with the rule and make it have bad syntax, SA --lint complains loudly. Right now, no complaints - and no results. Any ideas? Suggestions? Thanks! JPP -- View this message in context: http://old.nabble.com/A-little-help-with-a-local.cf-rule...-please%21-tp26970283p26970283.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
