Please use this updated file instead if you want to test out the filter. Also please post any FP's that you believe should be counterbalanced in the test like the Ticketmaster example.
Thanks,
Matt
# OBFUSCATION # Last Update: 09/14/2003 # # Description: # Encoding of letters and numbers in E-mail is unnecessary, however various techniques are # sometimes used by spammers to hide from filters, even mixing multiple techniques in URL's at # times. This filter will detect text and URL encoding only in combinations where multiple # encoded numbers and characters are in succession or mixed with HTTP address components. More # information on URL obfuscation techniques can be found at: http://www.pc-help.org/obscure.htm # # Usage: # OBFUSCATION filter C:\IMail\Declude\Obfuscation.txt x 7 0 # # False Positives: # Web designers and programmers passing inline code, ASCII text art, and legitimate bulk mailers # that needlessly URL encode letters and numbers in their script arguments (only special # characters are necessary). False positives are extremely rare.
# Counterbalances: # Negative weighting is applied for responsible bulk mailers that fail this test. # # Test Exclusions: # Ticketmaster. MAILFROM -7 ENDSWITH ticketmaster.com # URL Encoded Obfuscation: # This technique is used to obfuscate URL's. The filter will only match two characters in # succession with the first being a letter or number in order to protect form false positives. # # Example: # http://%77%77%77.%67%6F%6F%67%6C%65.%63%6F%6D/ # 0-9 BODY 0 CONTAINS %30% BODY 0 CONTAINS %31% BODY 0 CONTAINS %32% BODY 0 CONTAINS %33% BODY 0 CONTAINS %34% BODY 0 CONTAINS %35% BODY 0 CONTAINS %36% BODY 0 CONTAINS %37% BODY 0 CONTAINS %38% BODY 0 CONTAINS %39% # A-Z BODY 0 CONTAINS %41% BODY 0 CONTAINS %42% BODY 0 CONTAINS %43% BODY 0 CONTAINS %44% BODY 0 CONTAINS %45% BODY 0 CONTAINS %46% BODY 0 CONTAINS %47% BODY 0 CONTAINS %48% BODY 0 CONTAINS %49% BODY 0 CONTAINS %4a% BODY 0 CONTAINS %4b% BODY 0 CONTAINS %4c% BODY 0 CONTAINS %4d% BODY 0 CONTAINS %4e% BODY 0 CONTAINS %4f% BODY 0 CONTAINS %50% BODY 0 CONTAINS %51% BODY 0 CONTAINS %52% BODY 0 CONTAINS %53% BODY 0 CONTAINS %54% BODY 0 CONTAINS %55% BODY 0 CONTAINS %56% BODY 0 CONTAINS %57% BODY 0 CONTAINS %58% BODY 0 CONTAINS %59% BODY 0 CONTAINS %5a% # a-z BODY 0 CONTAINS %61% BODY 0 CONTAINS %62% BODY 0 CONTAINS %63% BODY 0 CONTAINS %64% BODY 0 CONTAINS %65% BODY 0 CONTAINS %66% BODY 0 CONTAINS %67% BODY 0 CONTAINS %68% BODY 0 CONTAINS %69% BODY 0 CONTAINS %6a% BODY 0 CONTAINS %6b% BODY 0 CONTAINS %6c% BODY 0 CONTAINS %6d% BODY 0 CONTAINS %6e% BODY 0 CONTAINS %6f% BODY 0 CONTAINS %70% BODY 0 CONTAINS %71% BODY 0 CONTAINS %72% BODY 0 CONTAINS %73% BODY 0 CONTAINS %74% BODY 0 CONTAINS %75% BODY 0 CONTAINS %76% BODY 0 CONTAINS %77% BODY 0 CONTAINS %78% BODY 0 CONTAINS %79% BODY 0 CONTAINS %7a% # With HTTP BODY 0 CONTAINS http://% BODY 0 CONTAINS [EMAIL PROTECTED] BODY 0 CONTAINS %.% # HTML Encoded Obfuscation: # This technique is used to obfuscate URL's and hide keywords. The filter will only match # two characters in succession with the first being a letter or number in order to protect # form false positives. # # Examples: # <A HREF="http://www.google.com/";>Google</A> # VIAGRA # 0-9 BODY 0 CONTAINS 0&# BODY 0 CONTAINS 1&# BODY 0 CONTAINS 2&# BODY 0 CONTAINS 3&# BODY 0 CONTAINS 4&# BODY 0 CONTAINS 5&# BODY 0 CONTAINS 6&# BODY 0 CONTAINS 7&# BODY 0 CONTAINS 8&# BODY 0 CONTAINS 9&# # A-Z BODY 0 CONTAINS A&# BODY 0 CONTAINS B&# BODY 0 CONTAINS C&# BODY 0 CONTAINS D&# BODY 0 CONTAINS E&# BODY 0 CONTAINS F&# BODY 0 CONTAINS G&# BODY 0 CONTAINS H&# BODY 0 CONTAINS I&# BODY 0 CONTAINS J&# BODY 0 CONTAINS K&# BODY 0 CONTAINS L&# BODY 0 CONTAINS M&# BODY 0 CONTAINS N&# BODY 0 CONTAINS O&# BODY 0 CONTAINS P&# BODY 0 CONTAINS Q&# BODY 0 CONTAINS R&# BODY 0 CONTAINS S&# BODY 0 CONTAINS T&# BODY 0 CONTAINS U&# BODY 0 CONTAINS V&# BODY 0 CONTAINS W&# BODY 0 CONTAINS X&# BODY 0 CONTAINS Y&# BODY 0 CONTAINS Z&# # a-z BODY 0 CONTAINS a&# BODY 0 CONTAINS b&# BODY 0 CONTAINS c&# BODY 0 CONTAINS d&# BODY 0 CONTAINS e&# BODY 0 CONTAINS f&# BODY 0 CONTAINS g&# BODY 0 CONTAINS h&# BODY 0 CONTAINS i&# BODY 0 CONTAINS j&# BODY 0 CONTAINS k&# BODY 0 CONTAINS l&# BODY 0 CONTAINS m&# BODY 0 CONTAINS n&# BODY 0 CONTAINS o&# BODY 0 CONTAINS p&# BODY 0 CONTAINS q&# BODY 0 CONTAINS r&# BODY 0 CONTAINS s&# BODY 0 CONTAINS t&# BODY 0 CONTAINS u&# BODY 0 CONTAINS v&# BODY 0 CONTAINS w&# BODY 0 CONTAINS x&# BODY 0 CONTAINS y&# BODY 0 CONTAINS z&# # With HTTP BODY 0 CONTAINS http://&# BODY 0 CONTAINS ;@&# BODY 0 CONTAINS ;.&# # Combination URL and HTML Encoded Obfuscation: # This technique is used to obfuscate URL's. The filter will match two differently encoded # characters in succession or separated by HTTP address components. # # Example: # <A HREF="http://%77w%77.g%6Fo%67l%65.c%6Fm/";>Google</A> BODY 0 CONTAINS %&# BODY 0 CONTAINS %@&# BODY 0 CONTAINS ;@% BODY 0 CONTAINS %.&# BODY 0 CONTAINS ;.% # Hexadecimal IP Obfuscation # This technique is used to obfuscate IP addresses. The filter will only match a hexadecimal # number found immediately following one of three possible HTTP address components. Commented # out due to a lack of current use in spam. # # Example: # http://0xd8.0xef.0x25.0x64/ #BODY 0 CONTAINS http://0x0 #BODY 0 CONTAINS http://0x1 #BODY 0 CONTAINS http://0x2 #BODY 0 CONTAINS http://0x3 #BODY 0 CONTAINS http://0x4 #BODY 0 CONTAINS http://0x5 #BODY 0 CONTAINS http://0x6 #BODY 0 CONTAINS http://0x7 #BODY 0 CONTAINS http://0x8 #BODY 0 CONTAINS http://0x9 #BODY 0 CONTAINS http://0xa #BODY 0 CONTAINS http://0xb #BODY 0 CONTAINS http://0xc #BODY 0 CONTAINS http://0xd #BODY 0 CONTAINS http://0xe #BODY 0 CONTAINS http://0xf #BODY 0 CONTAINS @0x0 #BODY 0 CONTAINS @0x1 #BODY 0 CONTAINS @0x2 #BODY 0 CONTAINS @0x3 #BODY 0 CONTAINS @0x4 #BODY 0 CONTAINS @0x5 #BODY 0 CONTAINS @0x6 #BODY 0 CONTAINS @0x7 #BODY 0 CONTAINS @0x8 #BODY 0 CONTAINS @0x9 #BODY 0 CONTAINS @0xa #BODY 0 CONTAINS @0xb #BODY 0 CONTAINS @0xc #BODY 0 CONTAINS @0xd #BODY 0 CONTAINS @0xe #BODY 0 CONTAINS @0xf #BODY 0 CONTAINS .0x0 #BODY 0 CONTAINS .0x1 #BODY 0 CONTAINS .0x2 #BODY 0 CONTAINS .0x3 #BODY 0 CONTAINS .0x4 #BODY 0 CONTAINS .0x5 #BODY 0 CONTAINS .0x6 #BODY 0 CONTAINS .0x7 #BODY 0 CONTAINS .0x8 #BODY 0 CONTAINS .0x9 #BODY 0 CONTAINS .0xa #BODY 0 CONTAINS .0xb #BODY 0 CONTAINS .0xc #BODY 0 CONTAINS .0xd #BODY 0 CONTAINS .0xe #BODY 0 CONTAINS .0xf # Octal IP Obfuscation: # This technique is used to obfuscate IP addresses. Due to the possibility of false positives, # the filter will only match an HTTP address component followed by two zeros which indicates a # high probability of an octal number, though only one zero is required for proper encoding. # Commented out due to a lack of current use in spam. # # Example: # http://0330.000357.0063.00000144/ #BODY 0 CONTAINS http://00 #BODY 0 CONTAINS @00
