On Thu, 04 Dec 2014 23:40:39 +0100 Axb <axb.li...@gmail.com> wrote: > uri __URI_COSTCO /costco\.com/i > uri __URI_PHPASKC /\.php\?c\=/ > meta AXB_URI_COSTCO_JJ (__URI_COSTCO && __URI_PHPASKC) > score AXB_URI_COSTCO_JJ 10.0
I've seen variants purportedly from Kroger, Target and Best Buy. We're having good luck with the following: uri __RP_D_00081_1 /\.php\?(?:dp|k|c|t)=[\/A-Za-z0-9=+]{25}/ header __RP_D_00081_2 Subject =~ /\b(?:order|buying)\b/i meta RP_D_00081 __RP_D_00081_1 && __RP_D_00081_2 describe RP_D_00081 Link to malware score RP_D_00081 30 Regards, David.