On 10/14, dar...@chaosreigns.com wrote:
> rawbody __SPOOFED_URL
> m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\#
> :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
> I agree it seems like we should be able to improve it.
Existing rule:
rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\#
]{8,29}[^>"'\#
:\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
How about this, to only check for a changed domain part instead?
rawbody SPOOFED_URL_DOMAIN
and what about when there is no anchor text in the link ? eg. paypal
image button
2011/10/14 :
> Existing rule:
>
> rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\#
> ]{8,29}[^>"'\#
> :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1
None of these rules will hit that. That's what the second "http" is for.
"Hit the host name part of the href value of an anchor tag, then do *not*
match the same host name in the value part of the anchor, then hit 'href'".
I should've called it SPOOFED_URL_HOST, because this one is matching the
f
you should be able to check against img src content, right?
2011/10/14 Christian Grunfeld :
> and what about when there is no anchor text in the link ? eg. paypal
> image button
>
>
> 2011/10/14 :
>> Existing rule:
>>
>> rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\#
>> ]{8,
Not relevant to the subject. We're talking about where somebody is
maliciously making you think you're clicking on "www.youtube.com" when in
fact you're clicking on "www.ILikeSpam.com".
Somebody linking to one domain with an image hosted on another domain has
plenty of possibility to be legit.
Y
On 14.10.11 18:07, dar...@chaosreigns.com wrote:
Existing rule:
rawbody __SPOOFED_URL m/]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\#
:\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
How about this, to only check for a change
On 10/18, Matus UHLAR - fantomas wrote:
> Very nice, however due to these and other circumstances mentioned I
> think that a plugin would be better, since it could define where to
Thanks. It didn't work out, the results were worse than the older rule:
http://ruleqa.spamassassin.org/?daterev=2011
