Standard hack, been around for a month or two now. I think we may have a SARE rule for this, if not we will soon. The trick is that breaking http up with cr characters (not actually newlines) causes SA to not spot it, but it still works for everyone else for some reason. I'm also including the double-at catcher, since on 2.6x (and possibly 3.x) the double-at causes it to fail to match as a URI.
For ME, these hit only spam. SARE mass-checks show that the double-at rule can hit a small amount of ham. You may want to score accordingly.
Robert Menschel wrote:
The rule I've tested which seems to hit the most spam is
...
Thanks. I'll try boths sets of rules and see what works best here.
-- Kelson Vibber SpeedGate Communications <www.speed.net>