Untested, but try
uri EXECUTABLE_WEBSITE /\.(?:exe|scr|pif)$/i
Loren
----- Original Message -----
From: "Dave Koontz" <[EMAIL PROTECTED]>
To: <users@spamassassin.apache.org>
Sent: Saturday, February 23, 2008 6:52 AM
Subject: Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URL Dangerous URL
score Dangerous_URL 7.5
Thanks in advance!