Hello, I'm running SpamAssassin on my Exim MTA and would like to add a rule of which I don't think it's built-in yet: Phishing mails commonly have an HTML link in them with a target like "http://12.34.56.78/..." but a label like "http[s]://somedomain/...". This case where the link label is a domain but the target is a numeric IP, and even worse the case, where the label has https: and the target only http:, I would like to score a high number of points. Is this already built-in? I couldn't see it on such a mail I received today.
How can I add this rule myself? The "rawbody" option only matches line by line, which doesn't help me because the link is split over multiple lines. What I need is something to match the entire message as one, with HTML kept intact but encoding (Quoted Printable...) resolved. I have seen the HTTPS_IP_MISMATCH rule that leads me to a Perl function. I don't understand Perl very well, and this specific function is way too complex for me. Also I don't know where to add my own Perl functions. The documentation doesn't tell me. -- Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]> http://beta.unclassified.de – My web laboratory.