Hello Craig, Thursday, May 5, 2005, 10:33:51 AM, you wrote:
CB> Most of my spam that's getting through at this point is stuff that has a URI CB> with multiple carriage returns in it like this: CB> <A href="h CB> ttp://eafbfowksugw.org&ghikk2hnvo32i7d21gun%2Eetn CB> eanim bme%2Ecom/">> CB> I know this trick has been discussed. I looked for a bug report, and couldn't CB> find one on this particular thing. I did find a thread in the archives about CB> this, and a couple of rules were suggested, but someone mentioned that at CB> least one of the rules results in a lot of FPs. Is anyone aware of a rule CB> that will catch these that doesn't trigger a lot of FPs? Best I've seen in a bunch of testing: rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is full __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri #hist LW_URI_CR Loren Wilton #counts LW_URI_CR 49s/0h of 292007 corpus (122219s/169788h RM) 04/27/05 Doesn't catch all of them, for reasons I haven't yet figured out, but catches some, and no FPs here. Bob Menschel
