oops... Just for the record, I omitted the delimiter when I retyped the cleaned up rule for the email. The actual rule is:
uri_detail SEX_IN_URI text =~ /(various|sexually|explicit|target|words|here|etc|etc)/i describe SEX_IN_URI Sexually explicit wording in URI On Jun 8, 2013, at 9:54 AM, William Thackrey <[email protected]> wrote: > Thanks! It looks like the uri_detail plug-in is being loaded by default. > I'll rewrite the test and try it. > > > On Jun 8, 2013, at 7:10 AM, RW <[email protected]> wrote: > >> On Sat, 8 Jun 2013 04:13:13 -0700 >> William Thackrey wrote: >> >>> We've been getting a ton of spam recently that consists only of a >>> single sexually explicit link description to an innocuous URI. >>> Here's one of the least offensive examples. Most are very crude. >>> >>> <div><a >>> href="http://prayerdancing.ru/15e595b9214bde2904c39f044cc4ec5a/arQE.html";>Anime >>> cartoon slut gets censored hardcore</a></div> >>> >>> I've written a rule which fires on this content - at least the regex >>> works in my regex testing tool. >>> >>> body >>> SEX_IN_URI >>> /href.{0,100}(various|sexually|explicit|target|words|here|censored|etc)/i >>> describe SEX_IN_URI Sexually explicit wording in href >>> >>> It doesn't seem to be working in Spamassassin (3.3.2, Perl 5.10.1, >>> Scientific Linux 6.2). Can anyone tell me if I have the syntax >>> wrong? Or does a body test not look into HTML? >> >> The latter. I think what you need is a uri_detail test >> >> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html >> >> Traditionally this would have been done with rawbody test, but it's >> better to avoid those if possible. >
