Ned Slider wrote:
uri LOCAL_URI_PHISH_UK3 m{https?://.{1,40}/.{1,60}\.(ac|co|gov)\.uk} describe LOCAL_URI_PHISH_UK3 contains obfuscated UK phish link of form example.com/bank.co.uk
Ah, this rule hits on unsubscribe links etc, which wasn't what was intended. For example:
example.com/unsubscribe.php?email=u...@example.co.uk