False positive report: Currently this appears to be listed as Sanesecurity.Blurl.195 (however the last part of that name seems to change fairly often, I've seen it listed as Sanesecurity.Blurl.194, .254, and .255). The pattern decodes to (.|/|@| |<|_)org2.salsalabs.com/dia/track.jsp('|"| |/|=|_|>| | |?|<) This is the click-tracking URL for salsalabs which (so far as I can tell) is a legitimate bulk-emailer. They distribute newsletters for a number of US non-profits and political groups (at least). Cheers, Jeff