Hi out there

(I hope this isn't a double post, I messed up a bit with the list. if it is.. sorry)

I've got this strange problem and I'm sure its my fault, but I just don't find out what's wrong =)

configuration is simple. the interesting two lines are:
SecFilterScanPOST On
SecFilterSelective POST_PAYLOAD "(<\?php|<%.*%>|^#!/)"

ok. as I understand it, that should read the content of uploaded files and check it against this simple regexp.

then I made an upload form and set debug log to 9. the relevant output from mod_security:

Checking signature "(<\\?php|<%.*%>|^#!/)" at POST_PAYLOAD (faked)
Checking against "test=post&test_text=asdfasdf"

ok. it uses the right regexp, but the 'payload' isn't what I expected. thats just the post args in form of get args. what does this faked mean? and why doesn't it check the file content? the check on files_names works perfectly (no .php, .asp etc files can be uploaded directly). I just don't want someone to upload a txt file with code an rename it.

logically, the regexp doesn't match, the uploaded script file lies on the server. and that's exactly the problem I wanted to solve =)

I already did a good amount of rtfm, but didn't find very much. Only thing I don't really understand is the SecUploadDir directive. do I have to use this? tried but failed...

any tipps are appreciated.

ah.. I nearly forgot:
mod_security 1.9.4
apache 2.0.58