I noticed an email from salesforce has a 'user tracking' web bug in it but it isn't currently detected by SA or SARES
( I removed the real numbers after oid so it doesn't cause FP's here ;-) </html><img src="http://na3.salesforce.com/servlet/servlet.ImageServer?oid=000000000 00&esid=000000000000"><br><br><DIV style="display:none;"></DIV> Would this find it? uri SALESFORCE_WEBBUG m'http://.*salesforce.com/servlet/servlet.ImageServer\?oid.*esid'i describe SALESFORCE_WEBBUG Sender has Salesforce Email tracking enabled score SALESFORCE_WEBBUG 1.0 Would you better prefer a rawbody and img src match? -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news
