On Sat, 24 Jul 2010, Jason Haar wrote:
It made me think: it contains links to the site it wants you to go to
(which are all the same) - but includes a fake unsubscribe option that
refers to the same URL. I've seen this behavior in a tonne of spam...
How much work would it be to create a rule that detects "unsubscribe"
links, and scores it up if it has the same URL as seen elsewhere in the
body? Real messages wouldn't do that...?
Short of a plugin it would be very difficult. Regular rules don't have any
way to refer to the matches of other rules, you'd have to write a rawbody
rule that matched all of the message from the embedded target URL to the
matching embedded "unsubscribe" URL. That would likely kill performance.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control enables genocide while doing little to reduce crime.
-----------------------------------------------------------------------
146 days until TRON Legacy
