There are a number of tactics of URL obfuscation that could easily permanently kill a filter that was totally reliant on scanning urls.
First off, note that in an HTML link, the text displayed for a link is not tied to the link itself. The URL below could easily say http://www.yahoo.com/ and still point to http://24.203.43.129/freegoop.html. Thus, yes... your grandmother would still be fooled. Second off, there is the issue with throw-away domains. Spamcop probably has a reasonably fast path to actually discovering a new throw-away domain and thus, the domain will make its way into sburl. However, also note that Spamassassin has been around for some years now and is widely used by many more people than those use spamassassin or even razor. With improvements to code and a broader user-base Razor could foreseeably become as effective as SpamCop in registering new findings. Third off, there are a significant number of ways to obfuscate/encode URLs. Commonly, most spam still uses a straight hostname based URL which keeps sburl pretty effective. However, it is also feasible that more and more spammers will use a legitimate looking text display for a link and use an encoded URL, not visible to the average user, within the A HREF tag. Such methods could include using the IP; which could be broken up a number of ways, not just into 4 octets; or using Unicode or hex characters to provide a high number of unique combinations that, if used effectively, would take a very long time to get into sburl. I do not know enough about the source code or razor to know if the same methods would spell havoc as well. I would imagine so. In any case, the main point of this email is that this will be an ever evolving battle against spam since there a variety of tactics that are not being used yet or even thought of. I don't see any one solution that will be wholey effective on its own. Sure, sburl works great now but that could easily not be the case a year from now since its approach is somewehat limited. Joe Gilbert -----Original Message----- From: John Andersen [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 11:58 PM To: [EMAIL PROTECTED] Subject: Re: [Razor-users] Poor detection ratio On Wednesday 21 April 2004 04:35, Tom Allison wrote: > > spamassassin wasn't catching had a very high percentage of links to > > domains that were under a month old, most under a week old. > > This would work up until they moment that they change their addresses to: > http://24.203.43.129/freegoop.html True, but even my grandmother wouldn't trust numeric IPs in a url.... -- _____________________________________ John Andersen ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Razor-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/razor-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Razor-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/razor-users
