Jeff Chan wrote:
> Does anyone have a geocities rule that catches most of the spams
> and has few FPs?
This is a collection of various geocities rules that I've been using. You might
want to run them by a corpus to see what their FPs are like for you, but this is
a good starting point. These are based on rules posted by others on the list,
with a few limited hacks and customizations of my own added.
uri L_L_GEOEXP /(?:uk|de)\.geocities\.com\/\w{2,20}\/\?\w{1,20}[=&]\w{2}/
describe L_L_GEOEXP Possible Geocities exploitation
score L_L_GEOEXP 1.0
#stacks with geoexp, but is more specific and less FP prone.
uri L_L_GEOEXP2
/(?:uk|de)\.geocities\.com\/[a-z]{2,20}\d{1,5}\/\?\w{1,20}[=&]\w{2}/
describe L_L_GEOEXP2 Possible Geocities exploitation
score L_L_GEOEXP2 1.5
#different pattern, somewhat FP prone due to broader hit range.
uri L_L_GEOEXP3 /(?:uk|de)\.geocities\.com\/[a-z]{5,7}[0-9]{2,3}\//
describe L_L_GEOEXP3 Possible Geocities exploitation
score L_L_GEOEXP3 1.0
uri UOLCC_UKGEO
/(?:uk|de)\.geocities\.com\/[A-Z]?[a-z]{2,20}_[A-Z]?[a-z]{2,20}(?:_[A-Z]?[a-z]{2,20})?\d{0,4}\/\?[\w=\.]{3}/
describe UOLCC_UKGEO UK Geocities exploitation
score UOLCC_UKGEO 2.0
