I think the rule is trying to catch email designed to exploit a browser bug, or possibly a MUA bug, where the control characters are actually in the host part of a URL. I don't know the specifics of the problem, but I'm guessing it's a URL something like:
http://www.iamaspammer.ru^H^H^H^H^H^H^H^H^H^H^H^H^H^Hwww.yahoo.com/ Where the MUA makes it look like you're going to be connecting with some site you trust, but the browser is actually ending up taking you somewhere you really don't want to trust. C On Mon, 2002-02-25 at 15:14, Woodworth, Eric wrote: > Hi all! > > Ok, so I figured out exactly what this rule was doing (nice > refresher on reg ex, which I needed anyway) but I have a question. Why is > using control code evidence of spam? Especially because this rule gives 4 > points, so it seems like it's considered pretty heavy evidence of spam. I > guess I just don't see the connection. Can anybody help clarify? Thanks. > > > Here's the exact rule for your reading pleasure: > > > rawbody HTTP_CTRL_CHARS_HOST > /http\:\/\/[^\/]*[\x00-\x09\x0b\x0c\x0e-\x1f]/ > describe HTTP_CTRL_CHARS_HOST Uses control sequences inside a URL's > hostname > > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
