On Mon 11-Jul-05 8:45am -0500, alien wrote: > I'm trying to detect emails that have hidden http links to dangerous > files (scr, exe, etc) in HTML documents . Here are two examples: > > <ahref="http://host144dnx.plugin.com/foto007.scr">http://www.fee.com/docs/fotos/Loren.jpg</a></font></font></p> > > href=3D"http://www.swedx.com/catalog/includes/languages/espanol/images/ca= > rdwelcome1903703446A8994.scr" > > After reading TB! helpfiles I thought of a filter, something like > this: > > <message source> matches all as Regex <http://.*\.scr> > action <Set color group to> "Virus Warning"
Matching All should work with a list of one but why chance it :-) Just use Match. Also both examples have a `"` after the naughty extension, not a `>`. Try this as your regex - the (?s) will cause lines to be spanned: the (?: ... ) is a non-capturing subpattern - everything else looks good: (?s)http://.*\.(?:scr|exe|etc)" If that fails you, could you send one of those messages as an attachment? -- Best regards, Bill Beta 3.51 Pro BayesIt! 0.8.1 X-Ray 1.4.0.0 XMP 0.9.6 XP Pro SP2 POP3 ________________________________________________________ http://www.silverstones.com/thebat/TBUDLInfo.html