On Sep 17, 2019, at 12:15 PM, John Hardin <jhar...@impsec.org> wrote: > > On Tue, 17 Sep 2019, hg user wrote: > >> It is a "dumb" rule but the quicker I could create. >> >> https://pastebin.com/bxRSds7a > > Suggestions: > > (1) use a URI rule rather than a BODY rule > > (2) escape the periods; you want to match a period, not any-character.
Based on https://feodotracker.abuse.ch/mitigate/ <https://feodotracker.abuse.ch/mitigate/>, it looks like both Spamhaus DBL and SURBL are fed by URLhaus. Spamhaus returns 127.0.1.105 for URLs fed from URLhaus. Doesn't SA already handle this, then, for URLs it processes, since it uses the DBL? I know Riccardo sent an email about a new plugin for SA, but I don't know if it's yet implemented in release... but maybe that's not required since the DBL doesn't require DQS. --- Amir