> This is the first time I've noticed the protocol broken up by line breaks!
Standard hack, been around for a month or two now. I think we may have a SARE rule for this, if not we will soon. The trick is that breaking http up with cr characters (not actually newlines) causes SA to not spot it, but it still works for everyone else for some reason. I'm also including the double-at catcher, since on 2.6x (and possibly 3.x) the double-at causes it to fail to match as a URI. For ME, these hit only spam. SARE mass-checks show that the double-at rule can hit a small amount of ham. You may want to score accordingly. Loren #test for @@ in internal image id link # can't do this with a uri test, it stops on the second @ sign! rawbody LW_DOUBLE_AT /IMG SRC="cid:[EMAIL PROTECTED]@[\w\.]+"/i score LW_DOUBLE_AT 1 describe LW_DOUBLE_AT strange internal image link #test for carriage return in a uri # this will fail in a uri test as the uri terminates on the cr (or a second @ for that matter!) rawbody __LW_URI_CR1 /href=\"[^"]*\r[^\n]/is full __LW_URI_CR2 /href=\"[^"]*\r[^\n]/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri full LW_URI_CR2 /href=\"[^"]*\r[^\n]\w+\r[^\n]/is score LW_URI_CR2 2 describe LW_URI_CR2 unescapred crs in uri