One "new" obfuscation behaviour I'm seeing in a non-Declude-protected account is that the bad guys are typing the URL as h t t p : \ \ instead of http:// (I've added spaces to evade anybody else's filter) and a second one where they omit the http:// entirely and just tell the recipient to paste the following line into their browser.
Andrew 8) -----Original Message----- From: Pete McNeil [mailto:[EMAIL PROTECTED] Sent: Friday, November 26, 2004 11:09 AM To: Glenn Zajicek Subject: Re[2]: [Declude.JunkMail] Vacationing Spammers On Friday, November 26, 2004, 1:43:06 PM, Glenn wrote: GZ> I've seen an increase in spam for the last few days slipping through GZ> with low weights or without failing any tests. I'm seeing a number of new styles of obfuscation lately, + a couple new campaigns just launched. Be sure you're up on the latest version of Sniffer if you use it (2.3.2) since this one has a number of new de-obfuscation mechanisms in the filter chain. Rules that take advantage of these new features are already growing in the ruelbase. Be sure to send anything that gets through to our spam@ address so I can grab it. I've given the crew off for the holiday so I'm nearly full-time pushing rulebase updates & Support. I'll be sure to get on any new submissions quickly. Thanks, _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
