On Fri, 3 Aug 2007, Michael Schout wrote: > Here is my rule that traps them. I have not seen any get through > after this: > > body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}' > describe LOCAL_POSTCARD_URL Body contains postcard scam url > score LOCAL_POSTCARD_URL 3.0
That's a useful general rule. Here's a revision as a URI rule rather than a BODY rule: describe DQ_URI_ONLY_ARGS Dotted-Quad URI with only CGI arguments uri DQ_URI_ONLY_ARGS m'^https?://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}' I've added this into http://www.impsec.org/~jhardin/antispam/postcards.cf too. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising. -- fwadling on Y! SCOX ---------------------------------------------------------------------- Tomorrow: The 272nd anniversary of John Peter Zenger's acquittal