A word of caution from our research. Some legitimate messages do encode other URLs as parameters. As a result this kind of filter requires the following constraints (still not perfect but close):
Be sure your rule fires on the ROOT of the URL so that you are not capturing parameters that have been encoded. For example, href="http://%67 etc... but not just http://%67... as in href=http://legitimate.web.host/somefn.jsp?xyz=http://%67%4D... Look for encoding of "normal" print characters such as letters and numbers as these are not normally encoded in legitimate URLs. (_usually_ is important here as some automated link generation systems we've seen do code everything either as a half-hearted attempt at security or just because it's easier to "hit every nail with the hammer".) If you combine these two constraints then the rule can be very effective. Hope this helps, _M Pete McNeil (Madscientist) Chief SortMonster (www.sortmonster.com) VOX: 703-406-2016 FAX: 703-406-2017 | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Mike K | Sent: Wednesday, November 20, 2002 9:06 AM | To: [EMAIL PROTECTED] | Subject: Re: [Declude.JunkMail] Wordfilter bypassed | | | A spam I received yesterday had these comments in it also. | | However one thing I noticed was that the spam had a url that | started off with the standard http then was followed by | PercentHexHexPercentHexHexPercentHexHexPercentHexHexPercentHex | Hex and so on. | | This should be very easy to filter on as no legit mailer | should be hiding urls like that. | | Mike | | | | | | | ----- Original Message ----- | From: "Madscientist" <[EMAIL PROTECTED]> | To: <[EMAIL PROTECTED]> | Sent: Tuesday, November 19, 2002 8:47 PM | Subject: RE: [Declude.JunkMail] Wordfilter bypassed | | | > | | > | However, that's the way spam control is heading. As more | and more | > | people get fed up with spam, more and more of the bozos that are | > | doing things the | > | wrong way will need to fix their problems. | > | | > | I can understand an HTML E-mail having one or two comments in it, | > | but 10 or 20 is just a waste of bandwidth. That is | information the | > | recipient will | > | never see. | > | | > | -Scott | > | > Where we got into trouble was with big corporate iron... (IBM, Sun, | > Microsoft, etc...) The comments in those messages were part of the | > code base generating the messages and I can imagine (as a web | > developer also) that they are pretty vital to the | developers in their | > ongoing maintenance efforts. It's not uncommon to see quite | a few of | > them. As we increased the threshold to accommodate the legitimate | > messages we were capturing we soon reached a level where legitimate | > and non-legitimate were practically indistinguishable. All | I'm saying | > here is that since HTML email is here to stay, and HTML | comments are | > legitimate and sometimes required for coding standards, a | simple count | > of HTML comments will not be a valid spam test in most | cases. This has | > been our experience - your mileage may/will vary. | > | > _M | > | > --- | > [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | > | > --- | > This E-mail came from the Declude.JunkMail mailing list. To | > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | > "unsubscribe Declude.JunkMail". The archives can be found at | > http://www.mail-archive.com. | > | > | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
