> -----Original Message----- > From: Mark [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 22, 2004 11:19 AM > To: [EMAIL PROTECTED] > Subject: Re: [Razor-users] Poor detection ratio > > > Gilbert, Joseph wrote: > > > There are a number of tactics of URL obfuscation that could easily > > permanently kill a filter that was totally reliant on scanning urls. > > > > Third off, there are a significant number of ways to > obfuscate/encode > > URLs. Commonly, most spam still uses a straight hostname based URL > > which keeps sburl pretty effective. However, it is also feasible > > that more and more spammers will use a legitimate looking text > > display for a link and use an encoded URL, not visible to > the average > > user, within the A HREF tag. > > True. But that obfuscation comes at a price: the obfuscation. > :) Seriously, > obfuscating a URL is branding yourself a spammer, in much the > same manner > that writing "v1agra" is a sure giveaway of your malicious intent. > > In fact, obfuscating a URL, where no such obfuscation is > required, will > actually make it easier for anti-spam detection tools to weed > them out. > These obfuscated URLs carry, as it were, a spam-signature > which transcend > the actual URL. Which means you can detect a spam URI, > regardless of its > dereferenced location even: the obfuscation itself is > evidence of spam.
Sure, often times regexps in spamassassin will suffice to detect them. The point of my argument was really against the idea that sburl is the panacea of all spam-related ills and will forever remain so. > > Granted, SURBL does not yet, to my knowledge, deploy such > tests. I highly > recommend they do, though. If, and when, they do, SURBL will become > unbeatable: either because of matching spammy domain names > directly, or > through detecting unnecessary obfuscation. Either way, the > spammer loses. >From my understanding of sburl, they are fed by SpamCop. Thus, in order for this to become workable, both SpamCop and sburl would have to have mechanisms with the same results to unencode the URLs. Otherwise, there would be no match. Now, this doesn't necessarily make the eventual solution less feasible, it just means it now has the inertia of SpamCop to overcome which may or may not be overly concerned with supporting sburl. > > P.S. I sent a copy of this email to the SA list, where the > makers of SURBL > seem most active. > > - Mark > > System Administrator Asarian-host.org > > --- > "If you were supposed to understand it, > we wouldn't call it code." - FedEx > > > > ------------------------------------------------------- > This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek > For a limited time only, get FREE Ground shipping on all orders of $35 > or more. Hurry up and shop folks, this offer expires April 30th! > http://www.thinkgeek.com/freeshipping/?cpg=12297 > _______________________________________________ > Razor-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/razor-users > ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 _______________________________________________ Razor-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/razor-users
