spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From francis picabia <fpica...@gmail.com>
Subject Re: spamassassin rule to combat phishing
Date Wed, 29 Oct 2014 13:50:25 GMT
On Wed, Oct 29, 2014 at 10:27 AM, francis picabia <fpicabia@gmail.com>
wrote:

> I've tested the rule:
>
> uri     URI_MYDOMAIN_PHISH
> m;^https?://(?:[^./]+\.)*example\.com[^/?];i
>
>
> is catching this sample newletter link:
>
> Oct 29 09:38:50.368 [24608] dbg: rules: ran uri rule
> URI_MYDOMAIN_PHISH ======> got hit: "http://example.com&"
>
> Complete email body content in test of newsletter link:
>
> <a target="_blank"
> href="http://www.environmental-expert.com/redirectnewsletter_login.asp?UR=
> L=http://www.environmental-expert.com&loginemail=user@example.com&loginc=
> ode=123456&utm_source=Articles_Waste_Recycling_01112014&utm_medium=em=
> ail&utm_campaign=newsletters&utm_content=logoclick"><img
> src="http://www.environmental-expert.com/newsletter/images/logo_dark_smal=
> l.gif"
> width="200" height="83" border="0"></a>
>
>
> I wonder how the RE can be tweaked to not match this case?
> I still don't understand the ?: part.
>

I don't know if it is the best solution, but adding & to the non-matching
clause has helped for the false positve and still catches the phishing
example:

uri     URI_MYDOMAIN_PHISH   m;^https?://(?:[^./]+\.)*example\.com[^/?&];i

Mime
View raw message