Re: SPOOFED_URL Re: antiphishing

darxus Fri, 14 Oct 2011 15:08:13 -0700

Existing rule:

rawbody  __SPOOFED_URL  m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# 
]{8,29}[^>"'\# 
:\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i



How about this, to only check for a changed domain part instead?

rawbody SPOOFED_URL_DOMAIN 
/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:\/\/?[^\/>"'\# 
]{8,29})[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i

It matches this:

  <a href="http://www.chaosreigns.com/";>http://www.example.com</a>

But does not match this (example from actual non-spam):

  <a 
href="http://www.jr.com/tracking?ord_q_num=105725494&ord_q_zip=03076";>http://www.jr.com/tracking</a>


A very simplified form of this new one:

rawbody SPOOFED_URL_DOMAIN /<a href="(https?:\/\/[^\/">]+)[^>]*>(?!\1)http/i

That "(?!\1)" bit is nice and fancy.  It means "not what was in the first
set of parentheses).  In the perlre man page: "A zero-width negative
look-ahead assertion."

-- 
"Every normal man must be tempted at times to spit upon his hands,
hoist the black flag, and begin slitting throats."
 - Henry Louis Mencken (1880-1956)
http://www.ChaosReigns.com

Re: SPOOFED_URL Re: antiphishing

Reply via email to