Well, let us ask the entire list if there are valid reasons that people would send an IP in a URL. I tested this for 2 months and didn't have a single legitimate e-mail like this. We did have people sending IP addresses, but not as a url. For example: My server IP is 156.23.140.10. Not one case had someone say " my website is http://[insert ip here]"
Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers I am not sure if my request here is being understood. I would not want to mark all messages with an IP in the url as spam. Only those messages that use %nnn%nnn%nnn etc. When you view source of an html message you can see this kind of coding. As in this case: //205.159.%372.%32%30/mort/ We always do a view source and take the url out of the source and then blacklist that, for those messages that were no caught by anti-spam at the time. I do not know what that process is called and have only ever seen it in source code of certain spam e-mail Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jason > Sent: Friday, March 19, 2004 1:41 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers > > > We created an Imail rule to block these. Here is what we use: > > (http\://\d\d\.|http\://\d\d\d\.):spambox > > > This seems to work very well. > > > Jason > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Harry Vanderzand > Sent: Friday, March 19, 2004 12:30 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Detecting disguised url's in headers > > > IE this url: //205.159.%372.%32%30/mort/ obviously gets > translated and I could do so also. It would take a lot of > extra time. I copy the url out of headers of spam that gets > through and put it into my filter file. These are bothersome however. > > Is there a way that we could just mark these kind of mails as > spam? I think it would be just spammers that do this. > > thanks > > Harry Vanderzand > inTown Internet & Computer Services > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > > [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing > a reverse DNS entry. All Internet hosts are required to have > a reverse DNS entry. The missing reverse DNS entry will cause > your mail to be treated as spam on some servers, such as AOL.] > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.