On Apr 23, 2011, at 7:35 AM, Steve Basford wrote: > > > Derek Chee wrote: >> Hi, >> >> Just a heads up to all... I've been getting reports that there is a false >> positive with with winnow.phish.pt.google.640144. According to the >> signature decoder, >> <http://sane.mxuptime.com/s.aspx?id=winnow.phish.pt.google.640144>, the URL >> will end up matching any Google Apps spreadsheet over SSL if I read the >> signature correctly. >> >> I reported it to OITC for a re-check, but thought people might want to know. >> >> >> > Hi Derek, > > Thanks for the report. > > I've whitelisted the signature on the mirrors with a .ign2 file... until Tom > can take a look. > > Cheers, > > Steve > Sanesecurity > Thanks Steve. Travelling for easter and just got access to a computer. Signature removed. There is a lot of google abuse going on. I will try to fine tune my algos. Tom Happy Easter