On Sat, 31 Mar 2018, Sebastian Arcus wrote:
I have a really simple rule looking for custom text string contained in spam
urls in the body of the email, like so:
body SHORT_BITCOIN_DATING /specific_string_here/i
score SHORT_BITCOIN_DATING 3.0
describe SHORT_BITCOIN_DATING Body URL signature of spam
I just realised that it is only working if the URL exists in both the text
and html versions. If the text version doesn't have the url, it isn't
working. Do "body" rules only work on the html part of the message? I've
tried searching through the documentation, but I can't see that being the
case. Maybe there is something else having an effect here?
"body" includes the *rendered* part of HTML. If the URL only appears
within <a href="..."> in the HTML part then "body" will not see it.
If you are looking for URLs, you should probably be using a "uri" rule.
There are heuristics to pull those out of the body text, as well out of
HTML tags.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Liberals love sex ed because it teaches kids to be safe around their
sex organs. Conservatives love gun education because it teaches kids
to be safe around guns. However, both believe that the other's
education goals lead to dangers too terrible to contemplate.
-----------------------------------------------------------------------
Tomorrow: April Fools' day