Hi,
Could anybody please run this rule against his SPAM/HAM corpus?
I just whipped up this
rawbody LOCAL_URL_SYNTAX_1 /www\.[a-z]\.[a-z]\.com\/[a-z0-9
{1,4}\/\?AFF_ID=[a-z0-9]+\&[a-z]+[a-z]+/
describe LOCAL_URL_SYNTAX_1 Spammer-like URL syntax - TEST RULE 04-02-07
score LOCAL_URL_SYNTAX_1 1.0
to catch all those mails that contain URLs like
<A
HREF="http://www.xbaq.whatuthinkwillhappen.com/c/?AFF_ID=c1224&qgdwcmaewo=uwdi">Clwck
Here for Gensric Cinlis</a><br>
<A
HREF="http://www.iprorvpe.whatuthinkwillhappen.com/v/?AFF_ID=v1224&vtdo=aajtyv">Clqck
Here for Genbric Vibgra</a><br>
<A
HREF="http://www.phaabofzs.suppatimeitnow.com/m/?AFF_ID=m1&bigkssmn=hnewt">
<A
HREF="http://www.jkmwbrwh.takeituptothetop.com/v2/?AFF_ID=d1230&ctxs=zorlmhqb">FIkND
IT HERfE</A><BR>
<A
HREF="http://www.xizrsjfrlz.takeituptothetop.com/x/?AFF_ID=o1230&vollwgu=bwocx">FINsD
IT HxERE</A><BR>
<A
HREF="http://www.vbraaud.takeituptothetop.com/l/?AFF_ID=a1230&wgeazwzomc=jeuz">FsIND
IT HEuRE</A><BR>
<A
HREF="http://www.ebeefbnw.unbelievablepricez.com/c/?AFF_ID=c1224&xijshovcp=rkyvjha">Clfck
Here for Gentric Cialis</a><br>
<A
HREF="http://www.ewxsyeree.unbelievablepricez.com/v/?AFF_ID=v1224&oqydznwv=krixtkg">Click
Here for Gengric Viegra</a><br>
<A
HREF="http://www.lexg.takeituptothetop.com/cv/?AFF_ID=cv0119&yyvvps=nvsvvx">Enter
Here</a><br>
<A
HREF="http://www.hbsw.foreveryourhost.com/c2/?AFF_ID=c20206&fifzban=ebwxhfm">Entdr
Here</a><br>
N
also things like
<A
HREF="http://www.xgsumpub.stlg.com=www.xomhe.ozgzcqbrh.entertheoneandlive.com/c/?AFF_ID=a3&uhkz=krdhfrspg">Eyntzer
Hegre</a><br>
<A
HREF="http://www.pyuaw.colx.com=www.vzlxxjyuk.ypfeavly.entertheoneandlive.com/v/?AFF_ID=a3&hqaecbxhhr=hjfjj">Etntzer
Heare</a><br>
are in my SPAM folder lots and lots of times.
Thanks!
(the above created via grepping for "AFF_ID" in my spam folder.
"AFF_ID" hits on about half my spam!!)
Maybe this is better: (hits only 1192 times though)
"(www\.[a-z]\.com=)?[a-z]+\.[a-z]+\.com\/[a-z0-9
{1,2}\/\?AFF_ID=[a-z0-9]+\&[a-z0-9]+=[a-z0-9]+"
--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic
Could anybody please run this rule against his SPAM/HAM corpus?
I just whipped up this
rawbody LOCAL_URL_SYNTAX_1 /www\.[a-z]\.[a-z]\.com\/[a-z0-9
{1,4}\/\?AFF_ID=[a-z0-9]+\&[a-z]+[a-z]+/
describe LOCAL_URL_SYNTAX_1 Spammer-like URL syntax - TEST RULE 04-02-07
score LOCAL_URL_SYNTAX_1 1.0
to catch all those mails that contain URLs like
<A
HREF="http://www.xbaq.whatuthinkwillhappen.com/c/?AFF_ID=c1224&qgdwcmaewo=uwdi">Clwck
Here for Gensric Cinlis</a><br>
<A
HREF="http://www.iprorvpe.whatuthinkwillhappen.com/v/?AFF_ID=v1224&vtdo=aajtyv">Clqck
Here for Genbric Vibgra</a><br>
<A
HREF="http://www.phaabofzs.suppatimeitnow.com/m/?AFF_ID=m1&bigkssmn=hnewt">
<A
HREF="http://www.jkmwbrwh.takeituptothetop.com/v2/?AFF_ID=d1230&ctxs=zorlmhqb">FIkND
IT HERfE</A><BR>
<A
HREF="http://www.xizrsjfrlz.takeituptothetop.com/x/?AFF_ID=o1230&vollwgu=bwocx">FINsD
IT HxERE</A><BR>
<A
HREF="http://www.vbraaud.takeituptothetop.com/l/?AFF_ID=a1230&wgeazwzomc=jeuz">FsIND
IT HEuRE</A><BR>
<A
HREF="http://www.ebeefbnw.unbelievablepricez.com/c/?AFF_ID=c1224&xijshovcp=rkyvjha">Clfck
Here for Gentric Cialis</a><br>
<A
HREF="http://www.ewxsyeree.unbelievablepricez.com/v/?AFF_ID=v1224&oqydznwv=krixtkg">Click
Here for Gengric Viegra</a><br>
<A
HREF="http://www.lexg.takeituptothetop.com/cv/?AFF_ID=cv0119&yyvvps=nvsvvx">Enter
Here</a><br>
<A
HREF="http://www.hbsw.foreveryourhost.com/c2/?AFF_ID=c20206&fifzban=ebwxhfm">Entdr
Here</a><br>
N
also things like
<A
HREF="http://www.xgsumpub.stlg.com=www.xomhe.ozgzcqbrh.entertheoneandlive.com/c/?AFF_ID=a3&uhkz=krdhfrspg">Eyntzer
Hegre</a><br>
<A
HREF="http://www.pyuaw.colx.com=www.vzlxxjyuk.ypfeavly.entertheoneandlive.com/v/?AFF_ID=a3&hqaecbxhhr=hjfjj">Etntzer
Heare</a><br>
are in my SPAM folder lots and lots of times.
Thanks!
(the above created via grepping for "AFF_ID" in my spam folder.
"AFF_ID" hits on about half my spam!!)
Maybe this is better: (hits only 1192 times though)
"(www\.[a-z]\.com=)?[a-z]+\.[a-z]+\.com\/[a-z0-9
{1,2}\/\?AFF_ID=[a-z0-9]+\&[a-z0-9]+=[a-z0-9]+"
--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postfächer - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - günstiger Traffic