On Jun 9, 2014, at 4:25 PM, John Hardin <jhar...@impsec.org> wrote:
> On Mon, 9 Jun 2014, Philip Prindeville wrote:
>
>>>>>> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> If it's in an HTML anchor tag the URL itself isn't in the "body" text, only
> the display label will be.
>
> Try a "uri" rule.
This URL is already in my "AC_SPAMMY_URI" template group, though I don't know
if this particular one has been released or not (I never sent an update since
the first batch a few months ago), and even if so the current version would not
have caught it due to being a bit too restrictive.
Try this:
uri __AC_LONGSTRS_URI /\/[0-9]{8}(?:\/[a-z0-9_~]{50,}){3}\b/
Score as desired (I assign 3 points to all AC_SPAMMY_URI templates, but the
released ones score differently).
--- Amir
