Very nice work, Matt! And thanks a bunch for sharing your efforts with the list!
Bill ----- Original Message ----- From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, September 14, 2003 10:14 AM Subject: Re: [Declude.JunkMail] OBFUSCATION filter - attachment - replacement! > I just figured out that the attachment exclusion thing doesn't work as > desired so I removed everything pertaining to that (oops). The chance > of a false positive occurring are very low even without the ability to > exclude inline attachments that might contain raw scripting or HTML code. > > Please use this updated file instead if you want to test out the > filter. Also please post any FP's that you believe should be > counterbalanced in the test like the Ticketmaster example. > > Thanks, > > Matt > > ---------------------------------------------------------------------------- ---- > # OBFUSCATION > # Last Update: 09/14/2003 > # > # Description: > # Encoding of letters and numbers in E-mail is unnecessary, however various techniques are > # sometimes used by spammers to hide from filters, even mixing multiple techniques in URL's at > # times. This filter will detect text and URL encoding only in combinations where multiple > # encoded numbers and characters are in succession or mixed with HTTP address components. More > # information on URL obfuscation techniques can be found at: http://www.pc-help.org/obscure.htm > # > # Usage: > # OBFUSCATION filter C:\IMail\Declude\Obfuscation.txt x 7 0 > # > # False Positives: > # Web designers and programmers passing inline code, ASCII text art, and legitimate bulk mailers > # that needlessly URL encode letters and numbers in their script arguments (only special > # characters are necessary). False positives are extremely rare. > > > # Counterbalances: > # Negative weighting is applied for responsible bulk mailers that fail this test. > # > # Test Exclusions: > # Ticketmaster. > > MAILFROM -7 ENDSWITH ticketmaster.com > > > # URL Encoded Obfuscation: > # This technique is used to obfuscate URL's. The filter will only match two characters in > # succession with the first being a letter or number in order to protect form false positives. > # > # Example: > # http://%77%77%77.%67%6F%6F%67%6C%65.%63%6F%6D/ > > # 0-9 > > BODY 0 CONTAINS %30% > BODY 0 CONTAINS %31% > BODY 0 CONTAINS %32% > BODY 0 CONTAINS %33% > BODY 0 CONTAINS %34% > BODY 0 CONTAINS %35% > BODY 0 CONTAINS %36% > BODY 0 CONTAINS %37% > BODY 0 CONTAINS %38% > BODY 0 CONTAINS %39% > > # A-Z > > BODY 0 CONTAINS %41% > BODY 0 CONTAINS %42% > BODY 0 CONTAINS %43% > BODY 0 CONTAINS %44% > BODY 0 CONTAINS %45% > BODY 0 CONTAINS %46% > BODY 0 CONTAINS %47% > BODY 0 CONTAINS %48% > BODY 0 CONTAINS %49% > BODY 0 CONTAINS %4a% > BODY 0 CONTAINS %4b% > BODY 0 CONTAINS %4c% > BODY 0 CONTAINS %4d% > BODY 0 CONTAINS %4e% > BODY 0 CONTAINS %4f% > BODY 0 CONTAINS %50% > BODY 0 CONTAINS %51% > BODY 0 CONTAINS %52% > BODY 0 CONTAINS %53% > BODY 0 CONTAINS %54% > BODY 0 CONTAINS %55% > BODY 0 CONTAINS %56% > BODY 0 CONTAINS %57% > BODY 0 CONTAINS %58% > BODY 0 CONTAINS %59% > BODY 0 CONTAINS %5a% > > # a-z > > BODY 0 CONTAINS %61% > BODY 0 CONTAINS %62% > BODY 0 CONTAINS %63% > BODY 0 CONTAINS %64% > BODY 0 CONTAINS %65% > BODY 0 CONTAINS %66% > BODY 0 CONTAINS %67% > BODY 0 CONTAINS %68% > BODY 0 CONTAINS %69% > BODY 0 CONTAINS %6a% > BODY 0 CONTAINS %6b% > BODY 0 CONTAINS %6c% > BODY 0 CONTAINS %6d% > BODY 0 CONTAINS %6e% > BODY 0 CONTAINS %6f% > BODY 0 CONTAINS %70% > BODY 0 CONTAINS %71% > BODY 0 CONTAINS %72% > BODY 0 CONTAINS %73% > BODY 0 CONTAINS %74% > BODY 0 CONTAINS %75% > BODY 0 CONTAINS %76% > BODY 0 CONTAINS %77% > BODY 0 CONTAINS %78% > BODY 0 CONTAINS %79% > BODY 0 CONTAINS %7a% > > # With HTTP > > BODY 0 CONTAINS http://% > BODY 0 CONTAINS [EMAIL PROTECTED] > BODY 0 CONTAINS %.% > > > # HTML Encoded Obfuscation: > # This technique is used to obfuscate URL's and hide keywords. The filter will only match > # two characters in succession with the first being a letter or number in order to protect > # form false positives. > # > # Examples: > # <A HREF="http://www.google.c&# 111;m/">Google</A> > # VIAGRA > > # 0-9 > > BODY 0 CONTAINS 0&# > BODY 0 CONTAINS 1&# > BODY 0 CONTAINS 2&# > BODY 0 CONTAINS 3&# > BODY 0 CONTAINS 4&# > BODY 0 CONTAINS 5&# > BODY 0 CONTAINS 6&# > BODY 0 CONTAINS 7&# > BODY 0 CONTAINS 8&# > BODY 0 CONTAINS 9&# > > # A-Z > > BODY 0 CONTAINS A&# > BODY 0 CONTAINS B&# > BODY 0 CONTAINS C&# > BODY 0 CONTAINS D&# > BODY 0 CONTAINS E&# > BODY 0 CONTAINS F&# > BODY 0 CONTAINS G&# > BODY 0 CONTAINS H&# > BODY 0 CONTAINS I&# > BODY 0 CONTAINS J&# > BODY 0 CONTAINS K&# > BODY 0 CONTAINS L&# > BODY 0 CONTAINS M&# > BODY 0 CONTAINS N&# > BODY 0 CONTAINS O&# > BODY 0 CONTAINS P&# > BODY 0 CONTAINS Q&# > BODY 0 CONTAINS R&# > BODY 0 CONTAINS S&# > BODY 0 CONTAINS T&# > BODY 0 CONTAINS U&# > BODY 0 CONTAINS V&# > BODY 0 CONTAINS W&# > BODY 0 CONTAINS X&# > BODY 0 CONTAINS Y&# > BODY 0 CONTAINS Z&# > > # a-z > > BODY 0 CONTAINS a&# > BODY 0 CONTAINS b&# > BODY 0 CONTAINS c&# > BODY 0 CONTAINS d&# > BODY 0 CONTAINS e&# > BODY 0 CONTAINS f&# > BODY 0 CONTAINS g&# > BODY 0 CONTAINS h&# > BODY 0 CONTAINS i&# > BODY 0 CONTAINS j&# > BODY 0 CONTAINS k&# > BODY 0 CONTAINS l&# > BODY 0 CONTAINS m&# > BODY 0 CONTAINS n&# > BODY 0 CONTAINS o&# > BODY 0 CONTAINS p&# > BODY 0 CONTAINS q&# > BODY 0 CONTAINS r&# > BODY 0 CONTAINS s&# > BODY 0 CONTAINS t&# > BODY 0 CONTAINS u&# > BODY 0 CONTAINS v&# > BODY 0 CONTAINS w&# > BODY 0 CONTAINS x&# > BODY 0 CONTAINS y&# > BODY 0 CONTAINS z&# > > # With HTTP > > BODY 0 CONTAINS http://&# > BODY 0 CONTAINS ;@&# > BODY 0 CONTAINS ;.&# > > > # Combination URL and HTML Encoded Obfuscation: > # This technique is used to obfuscate URL's. The filter will match two differently encoded > # characters in succession or separated by HTTP address components. > # > # Example: > # <A HREF="http://%77w%77.g%6Fo%67l%65.c%6Fm/";>Googl e</A> > > BODY 0 CONTAINS %&# > BODY 0 CONTAINS %@&# > BODY 0 CONTAINS ;@% > BODY 0 CONTAINS %.&# > BODY 0 CONTAINS ;.% > > > # Hexadecimal IP Obfuscation > # This technique is used to obfuscate IP addresses. The filter will only match a hexadecimal > # number found immediately following one of three possible HTTP address components. Commented > # out due to a lack of current use in spam. > # > # Example: > # http://0xd8.0xef.0x25.0x64/ > > #BODY 0 CONTAINS http://0x0 > #BODY 0 CONTAINS http://0x1 > #BODY 0 CONTAINS http://0x2 > #BODY 0 CONTAINS http://0x3 > #BODY 0 CONTAINS http://0x4 > #BODY 0 CONTAINS http://0x5 > #BODY 0 CONTAINS http://0x6 > #BODY 0 CONTAINS http://0x7 > #BODY 0 CONTAINS http://0x8 > #BODY 0 CONTAINS http://0x9 > #BODY 0 CONTAINS http://0xa > #BODY 0 CONTAINS http://0xb > #BODY 0 CONTAINS http://0xc > #BODY 0 CONTAINS http://0xd > #BODY 0 CONTAINS http://0xe > #BODY 0 CONTAINS http://0xf > #BODY 0 CONTAINS @0x0 > #BODY 0 CONTAINS @0x1 > #BODY 0 CONTAINS @0x2 > #BODY 0 CONTAINS @0x3 > #BODY 0 CONTAINS @0x4 > #BODY 0 CONTAINS @0x5 > #BODY 0 CONTAINS @0x6 > #BODY 0 CONTAINS @0x7 > #BODY 0 CONTAINS @0x8 > #BODY 0 CONTAINS @0x9 > #BODY 0 CONTAINS @0xa > #BODY 0 CONTAINS @0xb > #BODY 0 CONTAINS @0xc > #BODY 0 CONTAINS @0xd > #BODY 0 CONTAINS @0xe > #BODY 0 CONTAINS @0xf > #BODY 0 CONTAINS .0x0 > #BODY 0 CONTAINS .0x1 > #BODY 0 CONTAINS .0x2 > #BODY 0 CONTAINS .0x3 > #BODY 0 CONTAINS .0x4 > #BODY 0 CONTAINS .0x5 > #BODY 0 CONTAINS .0x6 > #BODY 0 CONTAINS .0x7 > #BODY 0 CONTAINS .0x8 > #BODY 0 CONTAINS .0x9 > #BODY 0 CONTAINS .0xa > #BODY 0 CONTAINS .0xb > #BODY 0 CONTAINS .0xc > #BODY 0 CONTAINS .0xd > #BODY 0 CONTAINS .0xe > #BODY 0 CONTAINS .0xf > > > # Octal IP Obfuscation: > # This technique is used to obfuscate IP addresses. Due to the possibility of false positives, > # the filter will only match an HTTP address component followed by two zeros which indicates a > # high probability of an octal number, though only one zero is required for proper encoding. > # Commented out due to a lack of current use in spam. > # > # Example: > # http://0330.000357.0063.00000144/ > > #BODY 0 CONTAINS http://00 > #BODY 0 CONTAINS @00 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
