On Mon, 2008-11-10 at 10:11 -0800, dave128 wrote:
> the e-mail servers are always different, as are the addresses at the bottom.
> the only real "pattern" I can see is that the SPAM always includes
> references like this:
>
> http://fsbonh.com/MxAGpeMvMAvGivpYpYpYexvAiMHOGp
>
> so each message includes a few references to similar URLs, with slightly
> different keys after the domain. the form is like this:
>
> http://{domain}/{31-character encoded key, mixed upper and lower case
> alpha characters}
>
> has anyone seen this type of spam? is there some way of defining a rule to
> add a weight for this?


uri MIXEDCASE_URI_31 /\/\w{31}\b/
score MIXEDCASE_URI_31 2

--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkkYiI0ACgkQGvhCU13z7IiLAgCeMwjC/W6otmHxTaoAHIw030Nc
bL4AnRmBZi7VuiycZmokw+Ej5e9w7aPI
=tbrO
-----END PGP SIGNATURE-----