On Jun 9, 2014, at 4:25 PM, John Hardin <jhar...@impsec.org> wrote: > On Mon, 9 Jun 2014, Philip Prindeville wrote: > >>>>>> We’re getting a lot of spam that contains URL’s which look like (remove >>>>>> the ####): >>>>>> >>>>>> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol >> >> BTW, I found that the last N characters of the above URL’s were always the >> same, and tried to do a “body” rule based on those last N characters, but I >> couldn’t get the rule to match. >> >> Still not sure why. The entire <a ...> sequence is only 382 characters long. >> >> Any ideas? > > If it's in an HTML anchor tag the URL itself isn't in the "body" text, only > the display label will be. > > Try a "uri" rule.
Thanks, that did it. -Philip