Another good way to differentiate the encoded characters is to trap on encoding characters that _should_ be normal ascii letters or numbers. In theory, the only characters that should be encoded would be outside this range so it's a good bet that encoding normal characters is an obfuscation attempt.
This will definitely need to be a weighted test though. _M | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Thursday, December 19, 2002 1:32 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hex Code URL's... | | | | >The problem is searching for http://%@% where % is the wildcard. I | >don't think this is possible with the current filters. | | No, that wouldn't be possible with the current filters | (although the IMail | filters might handle it). | | We will likely add two tests; one that looks for encoded | characters within | the domain of a URL (IE it would catch | "http://www.declud%65.com"; but not | "http://www.declude.com/sp%61m";), and another that looks for an "@" within the URL. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
