Hi there
Apparently when you use sharethis.com (who use S3 for hosting services)
to send out links, the links look like
hXXp://img.sharethis.com *DOT* s3.amazonaws.com
I imagine from this that ANY .com domain using Amazon S3 services would
create similar URLs?
This causes SPOOF_COM* rules to trigger
* 3.0 SPOOF_COM2OTH URI: URI contains ".com" in middle
* 1.6 SPOOF_COM2COM URI: URI contains ".com" in middle and end
Owch. So there's a big class of FPs happening there, and I'd say there's
redundancy in those rules? i.e. is 4.6 really an appropriate score for
*one* img link?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
