Recently I've seen a bunch of FPs on URI_HEX & NUMERIC_HTTP_ADDR thanks to some URLs that look like: https : // 4490379 . fls . doubleclick . net / activityi (extra spaces my addition, remove to see actual URL)
These were embedded in some amtrack ticket confirmation messages. Looking at my logs, I see that the recent S/O ratios for those two rules have dropped below 0.5 (IE now hit more ham than spam). For NUMERIC_HTTP_ADDR the rule is: /^https?\:\/\/\d{7}/is If that pattern were terminated like: /^https?\:\/\/\d{7}(?::\d+)?(?:\/|$)/is it should prevent the FPs (hopefully with out destroying its effectiveness) -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{