I had a false positive today from a non-spam (but semi-commercial) message and it appears to be a bug, albeit one that isn't too likely to occur, in the HTTP_ESCAPED_HOST rule. Since this rule is scored at 4.0 I thought I should mention it.
Here's the text that triggered the score: ----- Check out our selection at http://www.exploratoriumstore.com. Don't forget Members receive a 15% discount on store purchases. ----- The rule is being triggered because there's a % sign on the same line as the URL - not within the URL, as it should be. This also only happens because the URL doesn't have a trailing slash, a usage that is unfortunately common. I'm not too good at regular expressions, but I believe changing the regex to: rawbody HTTP_ESCAPED_HOST /http\:\/\/[^\/ ]*%/ ...would fix it. (It was considering the hostname done when it reached a slash [^\/]* and should also end when it reaches a space. Or perhaps a parenthesis or quotation mark? Tab? Pound sign? Anything else that URLs commonly end with?) This same issue could make a false positive in the HTTP_CTRL_CHARS_HOST rule, but I haven't run into one. -- michael moncur mgm at starlingtech.com http://www.starlingtech.com/ "Of those who say nothing, few are silent." -- Thomas Neill _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
