I'm actually inclined to add a check_url(regexp) function that properly extracts all URL's using the same rules as Outlook uses (which is the target client for spammers), and then checks it for matching the regexp. I'll look into that next week if I remember to do it.
Matt. -- <:->Get a smart net</:-> > -----Original Message----- > From: Michael Moncur [mailto:[EMAIL PROTECTED]] > Sent: 31 January 2002 07:38 > To: [EMAIL PROTECTED] > Subject: [SAtalk] False positive in HTTP_ESCAPED_HOST rule > > > I had a false positive today from a non-spam (but > semi-commercial) message and it appears to be a bug, albeit > one that isn't too likely to occur, in the HTTP_ESCAPED_HOST > rule. Since this rule is scored at 4.0 I thought I should mention it. > > Here's the text that triggered the score: > ----- > Check out our selection at > http://www.exploratoriumstore.com. Don't forget Members receive a 15% > discount on store purchases. > ----- > > The rule is being triggered because there's a % sign on the > same line as the URL - not > within the URL, as it should be. This also only happens > because the URL doesn't have > a trailing slash, a usage that is unfortunately common. > > I'm not too good at regular expressions, but I believe > changing the regex to: > > rawbody HTTP_ESCAPED_HOST /http\:\/\/[^\/ ]*%/ > > ...would fix it. (It was considering the hostname done when > it reached a slash [^\/]* and should also end when it reaches > a space. Or perhaps a parenthesis or quotation mark? Tab? > Pound sign? Anything else that URLs commonly end with?) > > This same issue could make a false positive in the > HTTP_CTRL_CHARS_HOST rule, but I haven't run into one. > > -- > michael moncur mgm at starlingtech.com > http://www.starlingtech.com/ > "Of those who say nothing, few are silent." -- Thomas Neill > > > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > ______________________________________________________________ > __________ > This e-mail has been scanned for all viruses by Star Internet. The > service is powered by MessageLabs. For more information on a proactive > anti-virus service working around the clock, around the globe, visit: > http://www.star.net.uk > ______________________________________________________________ > __________ > ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
