Best I've seen in a bunch of testing: rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is full __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri #hist LW_URI_CR Loren Wilton #counts LW_URI_CR 49s/0h of 292007 corpus (122219s/169788h RM) 04/27/05
Doesn't catch all of them, for reasons I haven't yet figured out, but catches some, and no FPs here.
I have yet to get any hits on this one in over a week, despite receiving several mails that look like they use this pattern. From what I can tell, either the raw-CR spammers aren't targetting us, or something is converting them to newlines before SA gets to see it.
Then there's the other problem: rawbody rules seem to act on a line-by-line basis, so you can look for /href=h$/ or /^ttp/ but not /href=h\nttp/
-- Kelson Vibber SpeedGate Communications <www.speed.net>
