We've done some research on this and experimented with some rules. More rule templates are coming, but as it turns out - filtering this is harder than you might expect - depending upon your system's requirements. Many supposedly legitimate mail/news systems encode large segments of URLs or even entire urls after some processing root in order to track user activity. Many of our first attempts to filter based on this kind of encoding have since been rejected due to false positive requests.
One such rule even blocked messages from the IMail list due to an encoded %40 in the tag line. One trick that seems to reduce the false positive rate is to define the root of the URL carefully and to ensure that the pattern match is at the root of the URL... so, for example, look for the href=" or href= at the top of the url to avoid the kind of legitimate encoding that might come later. Hope this helps, _M PS: We do have a number of rules coding for patters like this and they are very successful - not as successful as we thought they would be, but still pretty good! Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Smith | Sent: Thursday, December 19, 2002 12:32 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hex Code URL's... | | | This is a trick to make the user think that they're going to | a link on yahoo. Actually this is redirecting them to IP address: | | 0xD5.0xEF.0x8F.0x9A | | or 213.239.143.154 and then encode the path. | | I can't see any reason to do this. | | | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Thursday, December 19, 2002 12:29 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Hex Code URL's... | | | Hi; | I am seeing more and more URL's that are encoded, like: | http:[EMAIL PROTECTED]/%72%65%64%6C%69%67%68%74%65%6D% 61%69%6C%2F%69%6D%61%67%65%73%2F%30% I am yet to see anyone with a legitimate eMail use such an approach for sending their links. Is there a legitimate reason to do this? It seems like this could be an easy test to have in JM for the body. It is almost like a 100% guarantee that if used this is a spam.. Regards, Kami --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
