Scott, Doesn't Declude support a wild card character for single character matching in filters? EG, let's say an "*" is a wild card.
STOPATFIRSTHIT BODY 0 contains .google.*/url?q BODY 0 contains .google.**/url?q BODY 0 contains .google.***/url?q The above would then accomplish the same thing as the entire filter below. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Scott Fisher > Sent: Thursday, November 10, 2005 4:38 PM > To: [email protected] > Subject: Re: [Declude.JunkMail] Cryptic URL in source > > I ran across this in one of my unused filters folders. Some great Declude > user (not me) posted it in August. > So the google redirect has been abused for months. > > STOPATFIRSTHIT > > BODY 0 contains .google.com/url?q > BODY 0 contains .google.as/url?q > BODY 0 contains .google.com.ar/url?q > BODY 0 contains .google.com.au/url?q > BODY 0 contains .google.at/url?q > BODY 0 contains .google.az/url?q > BODY 0 contains .google.by/url?q > BODY 0 contains .google.be/url?q > BODY 0 contains .google.com.br/url?q > BODY 0 contains .google.vg/url?q > BODY 0 contains .google.bi/url?q > BODY 0 contains .google.ca/url?q > BODY 0 contains .google.td/url?q > BODY 0 contains .google.cl/url?q > BODY 0 contains .google.com.co/url?q > BODY 0 contains .google.co.cr/url?q > BODY 0 contains .google.ci/url?q > BODY 0 contains .google.com.cu/url?q > BODY 0 contains .google.cd/url?q > BODY 0 contains .google.dk/url?q > BODY 0 contains .google.dj/url?q > BODY 0 contains .google.com.do/url?q > BODY 0 contains .google.com.ec/url?q > BODY 0 contains .google.com.sv/url?q > BODY 0 contains .google.ee/url?q > BODY 0 contains .google.com.fj/url?q > BODY 0 contains .google.fi/url?q > BODY 0 contains .google.fr/url?q > BODY 0 contains .google.gm/url?q > BODY 0 contains .google.ge/url?q > BODY 0 contains .google.de/url?q > BODY 0 contains .google.com.gi/url?q > BODY 0 contains .google.com.gr/url?q > BODY 0 contains .google.gl/url?q > BODY 0 contains .google.gg/url?q > BODY 0 contains .google.hn/url?q > BODY 0 contains .google.com.hk/url?q > BODY 0 contains .google.co.hu/url?q > BODY 0 contains .google.co.in/url?q > BODY 0 contains .google.ie/url?q > BODY 0 contains .google.co.il/url?q > BODY 0 contains .google.it/url?q > BODY 0 contains .google.co.jp/url?q > BODY 0 contains .google.je/url?q > BODY 0 contains .google.kz/url?q > BODY 0 contains .google.lv/url?q > BODY 0 contains .google.co.ls/url?q > BODY 0 contains .google.com.ly/url?q > BODY 0 contains .google.li/url?q > BODY 0 contains .google.lt/url?q > BODY 0 contains .google.lu/url?q > BODY 0 contains .google.mw/url?q > BODY 0 contains .google.com.my/url?q > BODY 0 contains .google.com.mt/url?q > BODY 0 contains .google.mu/url?q > BODY 0 contains .google.com.mx/url?q > BODY 0 contains .google.fm/url?q > BODY 0 contains .google.ms/url?q > BODY 0 contains .google.com.na/url?q > BODY 0 contains .google.com.np/url?q > BODY 0 contains .google.nl/url?q > BODY 0 contains .google.co.nz/url?q > BODY 0 contains .google.com.ni/url?q > BODY 0 contains .google.com.nf/url?q > BODY 0 contains .google.com.pk/url?q > BODY 0 contains .google.com.pa/url?q > BODY 0 contains .google.com.py/url?q > BODY 0 contains .google.com.pe/url?q > BODY 0 contains .google.com.ph/url?q > BODY 0 contains .google.pn/url?q > BODY 0 contains .google.pl/url?q > BODY 0 contains .google.pt/url?q > BODY 0 contains .google.com.pr/url?q > BODY 0 contains .google.cg/url?q > BODY 0 contains .google.ro/url?q > BODY 0 contains .google.ru/url?q > BODY 0 contains .google.rw/url?q > BODY 0 contains .google.sh/url?q > BODY 0 contains .google.com.vc/url?q > BODY 0 contains .google.sm/url?q > BODY 0 contains .google.co.yu/url?q > BODY 0 contains .google.com.sg/url?q > BODY 0 contains .google.sk/url?q > BODY 0 contains .google.co.kr/url?q > BODY 0 contains .google.es/url?q > BODY 0 contains .google.se/url?q > BODY 0 contains .google.ch/url?q > BODY 0 contains .google.com.tw/url?q > BODY 0 contains .google.co.th/url?q > BODY 0 contains .google.tt/url?q > BODY 0 contains .google.com.tr/url?q > BODY 0 contains .google.com.ua/url?q > BODY 0 contains .google.ae/url?q > BODY 0 contains .google.co.uk/url?q > BODY 0 contains .google.com.uy/url?q > BODY 0 contains .google.uz/url?q > BODY 0 contains .google.co.ve/url?q > BODY 0 contains .google.com.vn/url?q > > ----- Original Message ----- > From: "Harry Vanderzand" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Wednesday, November 09, 2005 4:05 PM > Subject: RE: [Declude.JunkMail] Cryptic URL in source > > > > Certainly > > > > Here is what you see in the e-mail > > > > http://intown.net/HwSbgXkc9vYP4qssBQS0AK6bumsUuatFHAdxX6IZ8vk0 > > > > Here is what is in the source: > > > > > href="http://www.google.com/url?q=http://www.google.com/url?q=http://%73%5 > 4% > > 41%09Nd%09%7aA.n%09e%74/%63%67i- > b%09%69n%09/%70%6fch/%72e%09di%72.%63g%69?s= > > > intown.net">http://intown.net/HwSbgXkc9vYP4qssBQS0AK6bumsUuatFHAdxX6IZ8vk0 > </ > > a> > > > > Not that different from some of the phishing e-mails > > > > This has got to be detectable and should be cause for immediate > deletion. > > > > Who has legitimate cause to hide their identity? > > > > Harry Vanderzand > > inTown Internet & Computer Services > > 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 > > 519-741-1222 > > > > > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher > >> Sent: Wednesday, November 09, 2005 4:40 PM > >> To: [email protected] > >> Subject: Re: [Declude.JunkMail] Cryptic URL in source > >> > >> Do you have an example? > >> > >> ----- Original Message ----- > >> From: "Harry Vanderzand" <[EMAIL PROTECTED]> > >> To: <[email protected]> > >> Sent: Wednesday, November 09, 2005 10:18 AM > >> Subject: RE: [Declude.JunkMail] Cryptic URL in source > >> > >> > >> > Any ideas on this? > >> >> > >> >> When the URL is hidden with cryptic characters in the source > >> >> code of an e-mail it seems to me that it is obviously not a > >> >> legitimate e-mail in that deception is being used. > >> >> > >> >> Is there not an easy way to stop e-mail where these practises > >> >> are being used? > >> >> > >> >> I am running imail 8.21 and declude 3.05.18, the latest > >> >> sniffer and Invuribl > >> >> > >> >> Assistance is appreciated > >> >> > >> >> Thank you > >> >> > >> >> Harry Vanderzand > >> >> inTown Internet & Computer Services > >> >> 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 > >> >> 519-741-1222 > >> >> > >> >> > >> >> > >> >> > >> >> --- > >> >> This E-mail came from the Declude.JunkMail mailing list. To > >> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> >> type "unsubscribe Declude.JunkMail". The archives can be found > >> >> at http://www.mail-archive.com. > >> >> > >> >> > >> > > >> > > >> > --- > >> > This E-mail came from the Declude.JunkMail mailing list. To > >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> > type "unsubscribe Declude.JunkMail". The archives can be found > >> > at http://www.mail-archive.com. > >> > > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > >> > >> > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
