Re: [Declude.JunkMail] New fraud exploit likely to be seen soon

Thu, 11 Dec 2003 15:07:36 -0800

Actually, upon further reading, it appears that this affects all non-printing characters that are URL encoded. Here's a list of everything that I could find which is non-printing. Also note that I don't believe that OBFUSCATION will catch this, and @LINKED will catch it only if the @ is followed by a www. It seems like it might be a good idea to therefore integrate the following, though I may include this in a future version of OBFUSCATION.

# 000-031
BODY        15    CONTAINS    %00@
BODY        15    CONTAINS    %01@
BODY        15    CONTAINS    %02@
BODY        15    CONTAINS    %03@
BODY        15    CONTAINS    %04@
BODY        15    CONTAINS    %05@
BODY        15    CONTAINS    %06@
BODY        15    CONTAINS    %07@
BODY        15    CONTAINS    %08@
BODY        15    CONTAINS    %09@
BODY        15    CONTAINS    %0a@
BODY        15    CONTAINS    %0b@
BODY        15    CONTAINS    %0c@
BODY        15    CONTAINS    %0d@
BODY        15    CONTAINS    %0e@
BODY        15    CONTAINS    %0f@
BODY        15    CONTAINS    %10@
BODY        15    CONTAINS    %11@
BODY        15    CONTAINS    %12@
BODY        15    CONTAINS    %13@
BODY        15    CONTAINS    %14@
BODY        15    CONTAINS    %15@
BODY        15    CONTAINS    %16@
BODY        15    CONTAINS    %17@
BODY        15    CONTAINS    %18@
BODY        15    CONTAINS    %19@
BODY        15    CONTAINS    %1a@
BODY        15    CONTAINS    %1b@
BODY        15    CONTAINS    %1c@
BODY        15    CONTAINS    %1d@
BODY        15    CONTAINS    %1e@
BODY        15    CONTAINS    %1f@

# 127-159
BODY        15    CONTAINS    %7f@
BODY        15    CONTAINS    %80@
BODY        15    CONTAINS    %81@
BODY        15    CONTAINS    %82@
BODY        15    CONTAINS    %83@
BODY        15    CONTAINS    %84@
BODY        15    CONTAINS    %85@
BODY        15    CONTAINS    %86@
BODY        15    CONTAINS    %87@
BODY        15    CONTAINS    %88@
BODY        15    CONTAINS    %89@
BODY        15    CONTAINS    %8a@
BODY        15    CONTAINS    %8b@
BODY        15    CONTAINS    %8c@
BODY        15    CONTAINS    %8d@
BODY        15    CONTAINS    %8e@
BODY        15    CONTAINS    %8f@
BODY        15    CONTAINS    %90@
BODY        15    CONTAINS    %91@
BODY        15    CONTAINS    %92@
BODY        15    CONTAINS    %93@
BODY        15    CONTAINS    %94@
BODY        15    CONTAINS    %95@
BODY        15    CONTAINS    %96@
BODY        15    CONTAINS    %97@
BODY        15    CONTAINS    %98@
BODY        15    CONTAINS    %99@
BODY        15    CONTAINS    %9a@
BODY        15    CONTAINS    %9b@
BODY        15    CONTAINS    %9c@
BODY        15    CONTAINS    %9d@
BODY        15    CONTAINS    %9e@
BODY        15    CONTAINS    %9f@


Matt





Matthew Bramble wrote:

http://netscape.com.com/2100-1105_2-5119440.html?part=netscape&subj=technews&tag=mynetscape


Follow the link to the following address for an example (only works as designed in Internet Explorer):

http://www.zapthedingbat.com/security/ex01/vun1.htm

I would assume that you should probably throw in a filter for the following in order to prevent this, and of course tag any E-mails that might attempt to use it:

BODY 15 CONTAINS %01@

Matt 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to