Hi Scott, Have you considered the following?
Since the goal of every spammer is to get the reader to visit their website (or call a phone number, or send a fax), every spam always has a target which very often is a URL. Although in 90% of the cases it is easy to add this to a word filter, I am noticing a few spams that use encoding tricks to randomize the URL or unsubscribe link so it is harder to add a single entry to filter it. I was wondering if you had considered a keyword modifier "URL" for the wordfilter configuration file that would mean for Declude to assume the following field is a URL and to test all variable encodings. Here's what I mean. The following are encoded URL's from two recent spams: http://serine:[EMAIL PROTECTED] http://entendre:[EMAIL PROTECTED]<assyriay>8.143.72/punish/unsubscribe.php The Declude entry could be something like: BODYURL 8 CONTAINS http://www.something.com instead of: BODY 8 CONTAINS http://www.something.com This would mean to try all encodings, or at least go "cleansing" removing the common tricks just like the COMMENTS function does. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
