I believe when this was broached last year, I believe Scott P. stated regexp parsing consume too much CPU for Declude.
However, we added a regexp filter very easily using the built-in command line regexp parsing in Windows, thanks to Sandy pointing it out. It doesn't have all of the functionality in Decludes filters since it's an all or nothing weight, but has worked well for us. Darin. ----- Original Message ----- From: "Dave Beckstrom" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, November 11, 2005 11:56 AM Subject: RE: [Declude.JunkMail] Cryptic URL in source David, Could I suggest that you consider adding something along those lines or perhaps adding support for regular expressions? It would make the filters much more flexible and powerful. Sometimes spammers will vary only 1 or 2 characters in a URL and this would enable us to block their variations with one line in the filter. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] > Sent: Friday, November 11, 2005 10:46 AM > To: [email protected] > Subject: Re: [Declude.JunkMail] Cryptic URL in source > > Dave, > > There currently is no pattern matching in Declude filters. > > David Franco-Rocha > Declude Technical / Engineering > > ----- Original Message ----- > From: "Dave Beckstrom" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Thursday, November 10, 2005 6:03 PM > Subject: RE: [Declude.JunkMail] Cryptic URL in source > > > > Scott, > > > > Doesn't Declude support a wild card character for single character > > matching > > in filters? EG, let's say an "*" is a wild card. > > > > STOPATFIRSTHIT > > BODY 0 contains .google.*/url?q > > BODY 0 contains .google.**/url?q > > BODY 0 contains .google.***/url?q > > > > > > The above would then accomplish the same thing as the entire filter > below. > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > >> [EMAIL PROTECTED] On Behalf Of Scott Fisher > >> Sent: Thursday, November 10, 2005 4:38 PM > >> To: [email protected] > >> Subject: Re: [Declude.JunkMail] Cryptic URL in source > >> > >> I ran across this in one of my unused filters folders. Some great > Declude > >> user (not me) posted it in August. > >> So the google redirect has been abused for months. > >> > >> STOPATFIRSTHIT > >> > >> BODY 0 contains .google.com/url?q > >> BODY 0 contains .google.as/url?q > >> BODY 0 contains .google.com.ar/url?q > >> BODY 0 contains .google.com.au/url?q > >> BODY 0 contains .google.at/url?q > >> BODY 0 contains .google.az/url?q > >> BODY 0 contains .google.by/url?q > >> BODY 0 contains .google.be/url?q > >> BODY 0 contains .google.com.br/url?q > >> BODY 0 contains .google.vg/url?q > >> BODY 0 contains .google.bi/url?q > >> BODY 0 contains .google.ca/url?q > >> BODY 0 contains .google.td/url?q > >> BODY 0 contains .google.cl/url?q > >> BODY 0 contains .google.com.co/url?q > >> BODY 0 contains .google.co.cr/url?q > >> BODY 0 contains .google.ci/url?q > >> BODY 0 contains .google.com.cu/url?q > >> BODY 0 contains .google.cd/url?q > >> BODY 0 contains .google.dk/url?q > >> BODY 0 contains .google.dj/url?q > >> BODY 0 contains .google.com.do/url?q > >> BODY 0 contains .google.com.ec/url?q > >> BODY 0 contains .google.com.sv/url?q > >> BODY 0 contains .google.ee/url?q > >> BODY 0 contains .google.com.fj/url?q > >> BODY 0 contains .google.fi/url?q > >> BODY 0 contains .google.fr/url?q > >> BODY 0 contains .google.gm/url?q > >> BODY 0 contains .google.ge/url?q > >> BODY 0 contains .google.de/url?q > >> BODY 0 contains .google.com.gi/url?q > >> BODY 0 contains .google.com.gr/url?q > >> BODY 0 contains .google.gl/url?q > >> BODY 0 contains .google.gg/url?q > >> BODY 0 contains .google.hn/url?q > >> BODY 0 contains .google.com.hk/url?q > >> BODY 0 contains .google.co.hu/url?q > >> BODY 0 contains .google.co.in/url?q > >> BODY 0 contains .google.ie/url?q > >> BODY 0 contains .google.co.il/url?q > >> BODY 0 contains .google.it/url?q > >> BODY 0 contains .google.co.jp/url?q > >> BODY 0 contains .google.je/url?q > >> BODY 0 contains .google.kz/url?q > >> BODY 0 contains .google.lv/url?q > >> BODY 0 contains .google.co.ls/url?q > >> BODY 0 contains .google.com.ly/url?q > >> BODY 0 contains .google.li/url?q > >> BODY 0 contains .google.lt/url?q > >> BODY 0 contains .google.lu/url?q > >> BODY 0 contains .google.mw/url?q > >> BODY 0 contains .google.com.my/url?q > >> BODY 0 contains .google.com.mt/url?q > >> BODY 0 contains .google.mu/url?q > >> BODY 0 contains .google.com.mx/url?q > >> BODY 0 contains .google.fm/url?q > >> BODY 0 contains .google.ms/url?q > >> BODY 0 contains .google.com.na/url?q > >> BODY 0 contains .google.com.np/url?q > >> BODY 0 contains .google.nl/url?q > >> BODY 0 contains .google.co.nz/url?q > >> BODY 0 contains .google.com.ni/url?q > >> BODY 0 contains .google.com.nf/url?q > >> BODY 0 contains .google.com.pk/url?q > >> BODY 0 contains .google.com.pa/url?q > >> BODY 0 contains .google.com.py/url?q > >> BODY 0 contains .google.com.pe/url?q > >> BODY 0 contains .google.com.ph/url?q > >> BODY 0 contains .google.pn/url?q > >> BODY 0 contains .google.pl/url?q > >> BODY 0 contains .google.pt/url?q > >> BODY 0 contains .google.com.pr/url?q > >> BODY 0 contains .google.cg/url?q > >> BODY 0 contains .google.ro/url?q > >> BODY 0 contains .google.ru/url?q > >> BODY 0 contains .google.rw/url?q > >> BODY 0 contains .google.sh/url?q > >> BODY 0 contains .google.com.vc/url?q > >> BODY 0 contains .google.sm/url?q > >> BODY 0 contains .google.co.yu/url?q > >> BODY 0 contains .google.com.sg/url?q > >> BODY 0 contains .google.sk/url?q > >> BODY 0 contains .google.co.kr/url?q > >> BODY 0 contains .google.es/url?q > >> BODY 0 contains .google.se/url?q > >> BODY 0 contains .google.ch/url?q > >> BODY 0 contains .google.com.tw/url?q > >> BODY 0 contains .google.co.th/url?q > >> BODY 0 contains .google.tt/url?q > >> BODY 0 contains .google.com.tr/url?q > >> BODY 0 contains .google.com.ua/url?q > >> BODY 0 contains .google.ae/url?q > >> BODY 0 contains .google.co.uk/url?q > >> BODY 0 contains .google.com.uy/url?q > >> BODY 0 contains .google.uz/url?q > >> BODY 0 contains .google.co.ve/url?q > >> BODY 0 contains .google.com.vn/url?q > >> > >> ----- Original Message ----- > >> From: "Harry Vanderzand" <[EMAIL PROTECTED]> > >> To: <[email protected]> > >> Sent: Wednesday, November 09, 2005 4:05 PM > >> Subject: RE: [Declude.JunkMail] Cryptic URL in source > >> > >> > >> > Certainly > >> > > >> > Here is what you see in the e-mail > >> > > >> > http://intown.net/HwSbgXkc9vYP4qssBQS0AK6bumsUuatFHAdxX6IZ8vk0 > >> > > >> > Here is what is in the source: > >> > > >> > > >> > href="http://www.google.com/url?q=http://www.google.com/url?q=http://%73%5 > >> 4% > >> > 41%09Nd%09%7aA.n%09e%74/%63%67i- > >> b%09%69n%09/%70%6fch/%72e%09di%72.%63g%69?s= > >> > > >> > intown.net">http://intown.net/HwSbgXkc9vYP4qssBQS0AK6bumsUuatFHAdxX6IZ8vk0 > >> </ > >> > a> > >> > > >> > Not that different from some of the phishing e-mails > >> > > >> > This has got to be detectable and should be cause for immediate > >> deletion. > >> > > >> > Who has legitimate cause to hide their identity? > >> > > >> > Harry Vanderzand > >> > inTown Internet & Computer Services > >> > 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 > >> > 519-741-1222 > >> > > >> > > >> > > >> >> -----Original Message----- > >> >> From: [EMAIL PROTECTED] > >> >> [mailto:[EMAIL PROTECTED] On Behalf Of Scott > Fisher > >> >> Sent: Wednesday, November 09, 2005 4:40 PM > >> >> To: [email protected] > >> >> Subject: Re: [Declude.JunkMail] Cryptic URL in source > >> >> > >> >> Do you have an example? > >> >> > >> >> ----- Original Message ----- > >> >> From: "Harry Vanderzand" <[EMAIL PROTECTED]> > >> >> To: <[email protected]> > >> >> Sent: Wednesday, November 09, 2005 10:18 AM > >> >> Subject: RE: [Declude.JunkMail] Cryptic URL in source > >> >> > >> >> > >> >> > Any ideas on this? > >> >> >> > >> >> >> When the URL is hidden with cryptic characters in the source > >> >> >> code of an e-mail it seems to me that it is obviously not a > >> >> >> legitimate e-mail in that deception is being used. > >> >> >> > >> >> >> Is there not an easy way to stop e-mail where these practises > >> >> >> are being used? > >> >> >> > >> >> >> I am running imail 8.21 and declude 3.05.18, the latest > >> >> >> sniffer and Invuribl > >> >> >> > >> >> >> Assistance is appreciated > >> >> >> > >> >> >> Thank you > >> >> >> > >> >> >> Harry Vanderzand > >> >> >> inTown Internet & Computer Services > >> >> >> 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 > >> >> >> 519-741-1222 > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> --- > >> >> >> This E-mail came from the Declude.JunkMail mailing list. To > >> >> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> >> >> type "unsubscribe Declude.JunkMail". The archives can be found > >> >> >> at http://www.mail-archive.com. > >> >> >> > >> >> >> > >> >> > > >> >> > > >> >> > --- > >> >> > This E-mail came from the Declude.JunkMail mailing list. To > >> >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> >> > type "unsubscribe Declude.JunkMail". The archives can be found > >> >> > at http://www.mail-archive.com. > >> >> > > >> >> --- > >> >> This E-mail came from the Declude.JunkMail mailing list. To > >> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> >> type "unsubscribe Declude.JunkMail". The archives can be found > >> >> at http://www.mail-archive.com. > >> >> > >> >> > >> > > >> > > >> > --- > >> > This E-mail came from the Declude.JunkMail mailing list. To > >> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> > type "unsubscribe Declude.JunkMail". The archives can be found > >> > at http://www.mail-archive.com. > >> > > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > >> --- > >> [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
