>...
>
>Hello Craig,
>
>Thursday, May 5, 2005, 10:33:51 AM, you wrote:
>
>CB> Most of my spam that's getting through at this point is stuff that has a
>URI
>CB> with multiple carriage returns in it like this:
>
>CB> <A href="h
>CB> ttp://eafbfowksugw.org&ghikk2hnvo32i7d21gun%2Eetn
>CB> eanim
>bme%2Ecom/">>
>
>CB> I know this trick has been discussed. I looked for a bug report, and
>couldn't
>CB> find one on this particular thing. I did find a thread in the archives
>about
>CB> this, and a couple of rules were suggested, but someone mentioned that at
>CB> least one of the rules results in a lot of FPs. Is anyone aware of a rule
>CB> that will catch these that doesn't trigger a lot of FPs?
>
>Best I've seen in a bunch of testing:
>rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is
>full __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is
>meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2
>score LW_URI_CR 2
>describe LW_URI_CR unescaped cr in uri
>#hist LW_URI_CR Loren Wilton
>#counts LW_URI_CR 49s/0h of 292007 corpus (122219s/169788h RM) 04/27/05
>
>Doesn't catch all of them, for reasons I haven't yet figured out, but
>catches some, and no FPs here.
>
>Bob Menschel
>
>
>
>
Just in case anyone else keep track, etneanimbme. com is yet another
multitrade group domain (name servers in aicstrungcb. biz), registered at
YesNIC (whose "whois" server has been done for a full day now).
Paul Shupak
[EMAIL PROTECTED]
