I've tested the rule: uri URI_MYDOMAIN_PHISH m;^https?://(?:[^./]+\.)*example\.com[^/?];i
is catching this sample newletter link: Oct 29 09:38:50.368 [24608] dbg: rules: ran uri rule URI_MYDOMAIN_PHISH ======> got hit: "http://example.com&" Complete email body content in test of newsletter link: <a target="_blank" href="http://www.environmental-expert.com/redirectnewsletter_login.asp?UR= L=http://www.environmental-expert.com&loginemail=u...@example.com&loginc= ode=123456&utm_source=Articles_Waste_Recycling_01112014&utm_medium=em= ail&utm_campaign=newsletters&utm_content=logoclick"><img src="http://www.environmental-expert.com/newsletter/images/logo_dark_smal= l.gif" width="200" height="83" border="0"></a> I wonder how the RE can be tweaked to not match this case? I still don't understand the ?: part.