>I did write a rule to catch these since a lot of spammers are >still using >this trick :- > >uri __SpoofPort_URL /(?:\....:|\...:)/ > >uri __OkPort_URL /(?:\....:[0-9]|\...:[0-9])/ > >meta MS_Spoof_Port_URL ((__SpoofPort_URL - __OkPort_URL) > 0) > >score MS_Spoof_Port_URL 9 > >describe MS_Spoof_Port_URL Exploits SURBL bug in 3.0* URL with >trailing : > >Worth having even with the patch, not had a FP on it yet. > >Martin
Martin, could we get permission to put this in a SARE file? Full credit to you obviously! --Chris
