Well, assuming that you have Declude JunkMail Pro and thus text filtering
features available, yes.
See:
http://www.mailpure.com/software/decludefilters/
for the IPFilter tests which would give you a very good example to get you
started.
However, I think that:
a) You don't need to, because Declude is quietly de-obfuscating the
%-escaped text, so you could simply search for dotted-quad text.
b) If you want to add weight to emails that use the technique, because it's
the technique usage you find significant, then be conservative. I'm not
able to name names, but I know that I've received email flyers and mailing
lists that used the %-escaped text correctly when the source server for
their images did not have a fully qualified domain name.
Andrew 8)
-----Original Message-----
From: Harry Vanderzand [mailto:[EMAIL PROTECTED]
Sent: Friday, March 19, 2004 12:39 PM
To: [EMAIL PROTECTED]
Subject: RE: inSPAM:RE: [Declude.JunkMail] Detecting disguised url's in
headers
Let me re-iterate again
I would like to treat any mail where the source code of the mail is
disguising either text or the URL. It is the act of disguising it in code
that I think we can use to trap. Just because a URL is in the form of an IP
is not a valid reason to mark it as spam.
What I REALLY WOULD LIKE TO ASK IS ABOUT THE CODING OF THE SOURCE CODE IN
E-MAILS
Can it be trapped?
My apologies if I cannot explain it better
>
>
> Well, let us ask the entire list if there are valid reasons
> that people would send an IP in a URL. I tested this for 2
> months and didn't have a single legitimate e-mail like this.
> We did have people sending IP addresses, but not as a url.
> For example: My server IP is 156.23.140.10. Not one case
> had someone say " my website is
> http://[insert ip here]"
>
>
>
> Jason
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Harry Vanderzand
> Sent: Friday, March 19, 2004 1:32 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers
>
>
> I am not sure if my request here is being understood.
>
> I would not want to mark all messages with an IP in the url
> as spam. Only those messages that use %nnn%nnn%nnn etc. When
> you view source of an html message you can see this kind of
> coding. As in this case: //205.159.%372.%32%30/mort/
>
> We always do a view source and take the url out of the source
> and then blacklist that, for those messages that were no
> caught by anti-spam at the time.
>
> I do not know what that process is called and have only ever
> seen it in source code of certain spam e-mail
>
> Harry Vanderzand
> inTown Internet & Computer Services
> 11 Belmont Ave. W.
> Kitchener, ON
> N2M 1L2
> 519-741-1222
> Did you know we offer:
> - Province wide dial-up and high speed internet access
> - Web accessible email with anti-spam\antivirus protection
> - Computer hardware sales and service
> - Experienced website developers
>
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Jason
> > Sent: Friday, March 19, 2004 1:41 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers
> >
> >
> > We created an Imail rule to block these. Here is what we use:
> >
> > (http\://\d\d\.|http\://\d\d\d\.):spambox
> >
> >
> > This seems to work very well.
> >
> >
> > Jason
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Harry
> > Vanderzand
> > Sent: Friday, March 19, 2004 12:30 PM
> > To: [EMAIL PROTECTED]
> > Subject: [Declude.JunkMail] Detecting disguised url's in headers
> >
> >
> > IE this url: //205.159.%372.%32%30/mort/ obviously gets translated
> > and I could do so also. It would take a lot of extra time. I copy
> > the url out of headers of spam that gets through and put it into my
> > filter file. These are bothersome however.
> >
> > Is there a way that we could just mark these kind of mails
> as spam? I
> > think it would be just spammers that do this.
> >
> > thanks
> >
> > Harry Vanderzand
> > inTown Internet & Computer Services
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> > "unsubscribe Declude.JunkMail". The archives can be found at
> > http://www.mail-archive.com.
> >
> > [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a
> > reverse DNS entry. All Internet hosts are required to have
> a reverse
> > DNS entry. The missing reverse DNS entry will cause your mail to be
> > treated as spam on some servers, such as AOL.]
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list. To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> > "unsubscribe Declude.JunkMail". The archives can be found at
> > http://www.mail-archive.com.
> >
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be
> found at http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be
> found at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
