On Fri, 3 Aug 2007 at 08:03 -0500, [EMAIL PROTECTED] confabulated:
Rocco Scappatura wrote:
It is possible to block the spam sent by GreetingCards.com which invites
the receiver to access an URL and browse the ecard?
All of the ones I have received have a url with a numeric ip, followed
by usually a 32 character string in the url (MD5 hash?).
Here is my rule that traps them. I have not seen any get through after
this:
body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
describe LOCAL_POSTCARD_URL Body contains postcard scam url
score LOCAL_POSTCARD_URL 3.0
There is already a test SA does for a dotted-decimal IP in a URL:
NORMAL_HTTP_TO_IP
I have its score set to 2.5. It appears the default score is .001.
-------
_|_
(_| |