Re: [Declude.JunkMail] enhancement request: WORDFILTER URL keyword

Fri, 25 Jul 2003 23:07:22 -0700 

I believe the hmtl decoding already takes care of the second example.  As for the 
first, I've had great success targeting spoofing directly:

BODY    0       CONTAINS        http://7&#
BODY    0       CONTAINS        http://8&#
BODY    0       CONTAINS        http://9&#

BODY    0       CONTAINS        http://%
BODY    0       CONTAINS        http://w%
BODY    0       CONTAINS        http://ww%

BODY    0       CONTAINS        @%30
BODY    0       CONTAINS        @%31
BODY    0       CONTAINS        @%32

Your example will get nailed nicely then, by:

BODY    0       CONTAINS        @%77

Dan



On Friday, July 25, 2003 18:45, [EMAIL PROTECTED] wrote:
>Hi Scott,
>
>Have you considered the following?
>
>Since the goal of every spammer is to get the reader to visit
>their website (or call a phone number, or send a fax), every
>spam always has a target which very often is a URL.
>
>Although in 90% of the cases it is easy to add this to a word
>filter, I am noticing a few spams that use encoding tricks to
>randomize the URL or unsubscribe link so it is harder to add a
>single entry to filter it.
>
>I was wondering if you had considered a keyword modifier "URL"
>for the wordfilter configuration file that would mean for
>Declude to assume the following field is a URL and to test all
>variable encodings.
>
>Here's what I mean.  The following are encoded URL's from two
>recent spams:
>
>http://serine:[EMAIL PROTECTED]
>
>http://entendre:[EMAIL PROTECTED]<assyriay>8.143.72/punish/unsubscribe.php
>
>The Declude entry could be something like:
>
>BODYURL 8 CONTAINS http://www.something.com
>
>instead of:
>
>BODY 8 CONTAINS http://www.something.com
>
>This would mean to try all encodings, or at least go
>"cleansing" removing the common tricks just like the COMMENTS
>function does.
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to