On Wed, Oct 29, 2014 at 10:27 AM, francis picabia <fpica...@gmail.com> wrote:
> I've tested the rule: > > uri URI_MYDOMAIN_PHISH > m;^https?://(?:[^./]+\.)*example\.com[^/?];i > > > is catching this sample newletter link: > > Oct 29 09:38:50.368 [24608] dbg: rules: ran uri rule > URI_MYDOMAIN_PHISH ======> got hit: "http://example.com&" > > Complete email body content in test of newsletter link: > > <a target="_blank" > href="http://www.environmental-expert.com/redirectnewsletter_login.asp?UR= > L=http://www.environmental-expert.com&loginemail=u...@example.com&loginc= > ode=123456&utm_source=Articles_Waste_Recycling_01112014&utm_medium=em= > ail&utm_campaign=newsletters&utm_content=logoclick"><img > src="http://www.environmental-expert.com/newsletter/images/logo_dark_smal= > l.gif" > width="200" height="83" border="0"></a> > > > I wonder how the RE can be tweaked to not match this case? > I still don't understand the ?: part. > I don't know if it is the best solution, but adding & to the non-matching clause has helped for the false positve and still catches the phishing example: uri URI_MYDOMAIN_PHISH m;^https?://(?:[^./]+\.)*example\.com[^/?&];i