>> >> On Wed, Jan 24, 2007 at 11:11:20AM +0200, Henrik Krohns wrote: >> > On Wed, Jan 24, 2007 at 05:41:33AM -0000, [EMAIL PROTECTED] wrote: >> > > >> > > >> > > since yesterday I have seen quite a few of them: >> > > Will we eventually get a check for obfuscated urls? >> > > >> > > Wolfgang >> > > >> > > http://www.bullshit*com (Important! Replace "*" with "." ) >> > >> > I'm running something like this.. >> > >> > body HK_OBFDOM >> > /http:(?:\/|\\|\|)+[a-z0-9._-]*[^a-z0-9._\/\\\s-]+[a-z0-9._\\\/-]/i >> > describe HK_OBFDOM Domain contains illegal characters >> > score HK_OBFDOM 2.5 >> > >> > body __hk_obfdomreq1 /\b(?:remove|replace)\b/i >> > body __hk_obfdomreq2 /(?:\bdomain\b|\baddress\b|"[^"]"|'[^']')/i >> > meta HK_OBFDOMREQ (HK_OBFDOM && __hk_obfdomreq1 && __hk_obfdomreq2) >> > describe HK_OBFDOMREQ Request to modify obfuscated domain >> > score HK_OBFDOMREQ 2 >> >> Oops, "body HK_OBFDOM" being "uri HK_OBFDOM" ofcourse.. >> >> Cheers, >> Henrik >> Hi Henrik,
thanks a lot. I guess that the meta could use an || rather than &&; my samples all had "replace" but neither "address" nor "domain" Wolfgang
