Dave,
The issue here is that not only would the entire filtering mechanism
need to be rewritten, but also the entire parsing mechanism. Right now
Declude does minimal parsing of messages, and for instance, filters
will do plain text matching on both encoded base64 as well as the
unencoded base64. They would need to fully deMIME the message and
parse each individual segment according the the appropriate headers
(keeping in mind that messages can appear within messages, that can
appear within other messages and so on). Not only is base64 code a
problem, but also quoted printable encoding, and then there are the
obfuscation techniques that use URL and HTML encoding, but if you
decode, you also want the encoded stuff available to filtering since
the patterns there can be much stronger than when decoded.
I think that it is reasonable to say that this is all very desirable,
but there is no quick fix that can be expected.
Matt
Dave Beckstrom wrote:
David,
Could I suggest that you consider adding something along those lines or
perhaps adding support for regular expressions?
It would make the filters much more flexible and powerful. Sometimes
spammers will vary only 1 or 2 characters in a URL and this would enable us
to block their variations with one line in the filter.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED]] On Behalf Of David Franco-Rocha [ Declude ]
Sent: Friday, November 11, 2005 10:46 AM
To: [email protected]
Subject: Re: [Declude.JunkMail] Cryptic URL in source
Dave,
There currently is no pattern matching in Declude filters.
David Franco-Rocha
Declude Technical / Engineering
----- Original Message -----
From: "Dave Beckstrom" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, November 10, 2005 6:03 PM
Subject: RE: [Declude.JunkMail] Cryptic URL in source
Scott,
Doesn't Declude support a wild card character for single character
matching
in filters? EG, let's say an "*" is a wild card.
STOPATFIRSTHIT
BODY 0 contains .google.*/url?q
BODY 0 contains .google.**/url?q
BODY 0 contains .google.***/url?q
The above would then accomplish the same thing as the entire filter
below.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED]] On Behalf Of Scott Fisher
Sent: Thursday, November 10, 2005 4:38 PM
To: [email protected]
Subject: Re: [Declude.JunkMail] Cryptic URL in source
I ran across this in one of my unused filters folders. Some great
Declude
user (not me) posted it in August.
So the google redirect has been abused for months.
STOPATFIRSTHIT
BODY 0 contains .google.com/url?q
BODY 0 contains .google.as/url?q
BODY 0 contains .google.com.ar/url?q
BODY 0 contains .google.com.au/url?q
BODY 0 contains .google.at/url?q
BODY 0 contains .google.az/url?q
BODY 0 contains .google.by/url?q
BODY 0 contains .google.be/url?q
BODY 0 contains .google.com.br/url?q
BODY 0 contains .google.vg/url?q
BODY 0 contains .google.bi/url?q
BODY 0 contains .google.ca/url?q
BODY 0 contains .google.td/url?q
BODY 0 contains .google.cl/url?q
BODY 0 contains .google.com.co/url?q
BODY 0 contains .google.co.cr/url?q
BODY 0 contains .google.ci/url?q
BODY 0 contains .google.com.cu/url?q
BODY 0 contains .google.cd/url?q
BODY 0 contains .google.dk/url?q
BODY 0 contains .google.dj/url?q
BODY 0 contains .google.com.do/url?q
BODY 0 contains .google.com.ec/url?q
BODY 0 contains .google.com.sv/url?q
BODY 0 contains .google.ee/url?q
BODY 0 contains .google.com.fj/url?q
BODY 0 contains .google.fi/url?q
BODY 0 contains .google.fr/url?q
BODY 0 contains .google.gm/url?q
BODY 0 contains .google.ge/url?q
BODY 0 contains .google.de/url?q
BODY 0 contains .google.com.gi/url?q
BODY 0 contains .google.com.gr/url?q
BODY 0 contains .google.gl/url?q
BODY 0 contains .google.gg/url?q
BODY 0 contains .google.hn/url?q
BODY 0 contains .google.com.hk/url?q
BODY 0 contains .google.co.hu/url?q
BODY 0 contains .google.co.in/url?q
BODY 0 contains .google.ie/url?q
BODY 0 contains .google.co.il/url?q
BODY 0 contains .google.it/url?q
BODY 0 contains .google.co.jp/url?q
BODY 0 contains .google.je/url?q
BODY 0 contains .google.kz/url?q
BODY 0 contains .google.lv/url?q
BODY 0 contains .google.co.ls/url?q
BODY 0 contains .google.com.ly/url?q
BODY 0 contains .google.li/url?q
BODY 0 contains .google.lt/url?q
BODY 0 contains .google.lu/url?q
BODY 0 contains .google.mw/url?q
BODY 0 contains .google.com.my/url?q
BODY 0 contains .google.com.mt/url?q
BODY 0 contains .google.mu/url?q
BODY 0 contains .google.com.mx/url?q
BODY 0 contains .google.fm/url?q
BODY 0 contains .google.ms/url?q
BODY 0 contains .google.com.na/url?q
BODY 0 contains .google.com.np/url?q
BODY 0 contains .google.nl/url?q
BODY 0 contains .google.co.nz/url?q
BODY 0 contains .google.com.ni/url?q
BODY 0 contains .google.com.nf/url?q
BODY 0 contains .google.com.pk/url?q
BODY 0 contains .google.com.pa/url?q
BODY 0 contains .google.com.py/url?q
BODY 0 contains .google.com.pe/url?q
BODY 0 contains .google.com.ph/url?q
BODY 0 contains .google.pn/url?q
BODY 0 contains .google.pl/url?q
BODY 0 contains .google.pt/url?q
BODY 0 contains .google.com.pr/url?q
BODY 0 contains .google.cg/url?q
BODY 0 contains .google.ro/url?q
BODY 0 contains .google.ru/url?q
BODY 0 contains .google.rw/url?q
BODY 0 contains .google.sh/url?q
BODY 0 contains .google.com.vc/url?q
BODY 0 contains .google.sm/url?q
BODY 0 contains .google.co.yu/url?q
BODY 0 contains .google.com.sg/url?q
BODY 0 contains .google.sk/url?q
BODY 0 contains .google.co.kr/url?q
BODY 0 contains .google.es/url?q
BODY 0 contains .google.se/url?q
BODY 0 contains .google.ch/url?q
BODY 0 contains .google.com.tw/url?q
BODY 0 contains .google.co.th/url?q
BODY 0 contains .google.tt/url?q
BODY 0 contains .google.com.tr/url?q
BODY 0 contains .google.com.ua/url?q
BODY 0 contains .google.ae/url?q
BODY 0 contains .google.co.uk/url?q
BODY 0 contains .google.com.uy/url?q
BODY 0 contains .google.uz/url?q
BODY 0 contains .google.co.ve/url?q
BODY 0 contains .google.com.vn/url?q
----- Original Message -----
From: "Harry Vanderzand" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, November 09, 2005 4:05 PM
Subject: RE: [Declude.JunkMail] Cryptic URL in source
Certainly
Here is what you see in the e-mail
http://intown.net/HwSbgXkc9vYP4qssBQS0AK6bumsUuatFHAdxX6IZ8vk0
Here is what is in the source:
href=""moz-txt-link-freetext" href="http://www.google.com/url?q=http://www.google.com/url?q=http://%73%5">http://www.google.com/url?q=http://www.google.com/url?q=http://%73%5
4%
41%09Nd%09%7aA.n%09e%74/%63%67i-
b%09%69n%09/%70%6fch/%72e%09di%72.%63g%69?s=
intown.net">http://intown.net/HwSbgXkc9vYP4qssBQS0AK6bumsUuatFHAdxX6IZ8vk0
</
a>
Not that different from some of the phishing e-mails
This has got to be detectable and should be cause for immediate
deletion.
Who has legitimate cause to hide their identity?
Harry Vanderzand
inTown Internet & Computer Services
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Scott
Fisher
Sent: Wednesday, November 09, 2005 4:40 PM
To: [email protected]
Subject: Re: [Declude.JunkMail] Cryptic URL in source
Do you have an example?
----- Original Message -----
From: "Harry Vanderzand" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, November 09, 2005 10:18 AM
Subject: RE: [Declude.JunkMail] Cryptic URL in source
Any ideas on this?
When the URL is hidden with cryptic characters in the source
code of an e-mail it seems to me that it is obviously not a
legitimate e-mail in that deception is being used.
Is there not an easy way to stop e-mail where these practises
are being used?
I am running imail 8.21 and declude 3.05.18, the latest
sniffer and Invuribl
Assistance is appreciated
Thank you
Harry Vanderzand
inTown Internet & Computer Services
11 Belmont Ave. W., Kitchener, ON,N2M 1L2
519-741-1222
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail scanned for viruses by Declude Virus]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail scanned for viruses by Declude Virus]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
|
