On 3/1/2011 12:39 PM, tr_ust wrote: > Thanks...I could really use the help! > > basically - I'm getting the list of phishing links of aper > (https://aper.svn.sourceforge.net/svnroot/aper/) and creating a rule for it. > > Here's a snippet of my rule - > > uri LOCAL_URI_EXAMPLE /-la2u.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /0-vgj.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /007vt.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /02khw.9hz.com\// > score LOCAL_URI_EXAMPLE 10 > uri LOCAL_URI_EXAMPLE /03l6c.9hz.com\// > score LOCAL_URI_EXAMPLE 50 > uri LOCAL_URI_EXAMPLE /03ysl.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /040jk.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > uri LOCAL_URI_EXAMPLE /0oczg.9hz.com\// > score LOCAL_URI_EXAMPLE 20 > > > I'm using the per user option right now for spamassassin, so I test it by > sending the user an email with one of these links...and it's still going > through.
You are aware that these rules are specifying that there MUST be a slash after .com in order to match, right? Other than that, I don't see any obvious problem. Send an example email through your system and put the resulting email (with headers) into a pastebin so I can look at it. -- Bowie