One of the current spam tricks (coming from zombies, I think) is to not use the www. or the http:; here are two examples:
uhpvoegq.portable7attachable[munged].info irzvu.adventist7announcer[munged].info and this next technique has become popular, and the messages are so similar it has to be the same spam gang: ___copy&p�ste _lInk_bew_low �n your_brower_ jp.gny.roliosaa.com/ at some point recently the bad guys realized that their text indicating the instructions for pasting the link were themselves trappable text, they've moved to the extreme obfuscation indicated above. As a third example, I've seen the bad guys use http:\\ or with just one / or inserting a space in the URL with paste instructions. Sometimes it's heard to tell if it's genius at finding stuff that still works in Internet Explorer, or just broken typing on their part. So... I don't know how antispam software in general is adapting to those anti-SURBL (or just anti-filtering) techniques, but the short of is that your optimization is a good idea to save mail processing time, but not against at least one spam gang. Andrew 8) -----Original Message----- From: Markus Gufler [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 5:50 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] ENDing surbl filter file I've seen an initial line: BODY END NOTCONTAINS http: in Kami's body filterfiles. It seems to be a good idea even if I'm not sure if it will not let slip trough messages containing simple "www." URLs. If this would not create any problem it would be also very usefull to use it in our surbl filter files. I've added the following line echo BODY END NOTCONTAINS http:>> surbl.filter.tmp in Roger Eriksson's surbl_filter.cmd version 1.0 (line 58) Any suggestions, drawback's ? It would be very usefull if we could END if NO "http:" AND NO "www." is part of the message body. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
