OOpsie - typo:

"body" should have been "uri" in the second one.


describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
uri SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
score SILLYDOTSDOMAINURI 1.8


jp
Quoting Jack Pepper :

>
>
> Maybe try these:
>
> describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
> uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
> score SILLYLONGDOMAINURI 1.8
>
> describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
> body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
> score SILLYDOTSDOMAINURI 1.8
>
> jp
>
>
> Quoting Bookworm :
>
>> I'm starting to see some new phishing/scam attempts.
>>
>> What I was thinking was that it might be worthwhile to add a rule =20
>> to not so much check links, but count periods. Here's the example =20
>> that just came in my email -
>>
>> (removing http:// ) - =20
>> connect.colonialbank.webbizcompany.c6b5r64whf623lx 426xq.secureserv.online=

updatemirror81105.colonial.certificate.update.65tw .com/logon.htm
>>
>> Notice that there are ten periods. That makes it be an eleventh =20
>> level domain name?
>>
>> In general, you see fewer than four periods in a domain name - but =20
>> I've seen this sort of behavior in spams before. Thoughts?
>>
>> (I'm just a general administrator. I use other people's rules, I =20
>> haven't had time to learn to make my own)
>>
>> BW

>
>
>
> --=20
> Framework? I don't need no steenking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs: Isolate/Insulate/Innovate =20
> http://www.afferentsecurity.com




--=20
Framework? I don't need no steenking framework!

----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate =20
http://www.afferentsecurity.com