Recently I've seen a bunch of FPs on URI_HEX & NUMERIC_HTTP_ADDR thanks to some
URLs that look like:
https : // 4490379 . fls . doubleclick . net / activityi
(extra spaces my addition, remove to see actual URL)
These were embedded in some amtrack ticket confirmation messages. Looking
at my logs, I see that the recent S/O ratios for those two rules have
dropped below 0.5 (IE now hit more ham than spam).
For NUMERIC_HTTP_ADDR the rule is: /^https?\:\/\/\d{7}/is
If that pattern were terminated like:
/^https?\:\/\/\d{7}(?::\d+)?(?:\/|$)/is
it should prevent the FPs (hopefully with out destroying its effectiveness)
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
