Bookworm wrote:
> I'm starting to see some new phishing/scam attempts.
>
> What I was thinking was that it might be worthwhile to add a rule to
> not so much check links, but count periods.
> Here's the example that just came in my email -
>
> (removing http:// ) -
> connect.colonialbank.webbizcompany.c6b5r64whf623lx 426xq.secureserv.onlineupdatemirror81105.colonial. certificate.update.65tw.com/logon.htm
>
>


it doesn't resolve from here at this time, so I wonder what's the goal...


untested yet:

uri URI_LONGISH m|https?://[\w\.-]{65}|
score URI_LONGISH 3.0

uri URI_GRDNSX m|https?://[^/]*[x\d]{7}|
score URI_GRDNSX 1.5

uri URI_LONGLABEL m|http?://[^/]*\w{16}|
score URI_LONGLABEL 0.5

uri URI_DEEP5 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
score URI_DEEP5 0.1

uri URI_DEEP6 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
score URI_DEEP6 1.0

uri URI_DEEP7
m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
score URI_DEEP7 2.0

> Notice that there are ten periods. That makes it be an eleventh level
> domain name?
>
> In general, you see fewer than four periods in a domain name - but
> I've seen this sort of behavior in spams before.
> Thoughts?
>
> (I'm just a general administrator. I use other people's rules, I
> haven't had time to learn to make my own)
>
> BW
>