[Declude.JunkMail] Hex Code URL's...
Title: Message Hi; I am seeing more and more URL's that are encoded, like: http:[EMAIL PROTECTED]/%72%65%64%6C%69%67%68%74%65%6D%61%69%6C%2F%69%6D%61%67%65%73%2F%30% I am yet to see anyone with a legitimate eMail use such an approach for sending their links. Is there a legitimate reason to do this? It seems like this could be an easy test to have in JM for the body. It is almost like a 100% guarantee that if used this is a spam.. Regards, Kami
RE: [Declude.JunkMail] Hex Code URL's...
This is a trick to make the user think that they're going to a link on yahoo. Actually this is redirecting them to IP address: 0xD5.0xEF.0x8F.0x9A or 213.239.143.154 and then encode the path. I can't see any reason to do this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan Sent: Thursday, December 19, 2002 12:29 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Hex Code URL's... Hi; I am seeing more and more URL's that are encoded, like: http:[EMAIL PROTECTED]/%72%65%64%6C%69%67%68%74%65%6D% 61%69%6C%2F%69%6D%61%67%65%73%2F%30% I am yet to see anyone with a legitimate eMail use such an approach for sending their links. Is there a legitimate reason to do this? It seems like this could be an easy test to have in JM for the body. It is almost like a 100% guarantee that if used this is a spam.. Regards, Kami --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
This is a trick to make the user think that they're going to a link on yahoo. Actually this is redirecting them to IP address: 0xD5.0xEF.0x8F.0x9A or 213.239.143.154 and then encode the path. Or even worse, it could be coded to access other parts of your computer, such as Code Red virus. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
We've done some research on this and experimented with some rules. More rule templates are coming, but as it turns out - filtering this is harder than you might expect - depending upon your system's requirements. Many supposedly legitimate mail/news systems encode large segments of URLs or even entire urls after some processing root in order to track user activity. Many of our first attempts to filter based on this kind of encoding have since been rejected due to false positive requests. One such rule even blocked messages from the IMail list due to an encoded %40 in the tag line. One trick that seems to reduce the false positive rate is to define the root of the URL carefully and to ensure that the pattern match is at the root of the URL... so, for example, look for the href= or href= at the top of the url to avoid the kind of legitimate encoding that might come later. Hope this helps, _M PS: We do have a number of rules coding for patters like this and they are very successful - not as successful as we thought they would be, but still pretty good! Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Smith | Sent: Thursday, December 19, 2002 12:32 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hex Code URL's... | | | This is a trick to make the user think that they're going to | a link on yahoo. Actually this is redirecting them to IP address: | | 0xD5.0xEF.0x8F.0x9A | | or 213.239.143.154 and then encode the path. | | I can't see any reason to do this. | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Thursday, December 19, 2002 12:29 PM | To: [EMAIL PROTECTED] | Subject: [Declude.JunkMail] Hex Code URL's... | | | Hi; | I am seeing more and more URL's that are encoded, like: | http:[EMAIL PROTECTED]/%72%65%64%6C%69%67%68%74%65%6D% 61%69%6C%2F%69%6D%61%67%65%73%2F%30% I am yet to see anyone with a legitimate eMail use such an approach for sending their links. Is there a legitimate reason to do this? It seems like this could be an easy test to have in JM for the body. It is almost like a 100% guarantee that if used this is a spam.. Regards, Kami --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
I might add to this thread that it is fairly common to see Yahoo Redirects in spam content these days. There are many forms... We also see redirects through excite, msn, and some unsuspecting corporate sites - usually referenced by IP. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of John | Tolmachoff | Sent: Thursday, December 19, 2002 12:57 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hex Code URL's... | | | This is a trick to make the user think that they're going | to a link on | yahoo. Actually this is redirecting them to IP address: | | 0xD5.0xEF.0x8F.0x9A | | or 213.239.143.154 and then encode the path. | | Or even worse, it could be coded to access other parts of | your computer, such as Code Red virus. | | John Tolmachoff MCSE, CSSA | IT Manager, Network Engineer | RelianceSoft, Inc. | Fullerton, CA 92835 | www.reliancesoft.com | | | | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
Theoretically, there should never be a @ symbol in the URL unless it contains authentication. I can't think of that happening too often. The problem is searching for http://%@% where % is the wildcard. I don't think this is possible with the current filters. Scott? Maybe just placing a weight test to search for @ or %40 would help, but as _M just pointed out there are some that will be trapped. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Madscientist Sent: Thursday, December 19, 2002 1:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Hex Code URL's... We've done some research on this and experimented with some rules. More rule templates are coming, but as it turns out - filtering this is harder than you might expect - depending upon your system's requirements. Many supposedly legitimate mail/news systems encode large segments of URLs or even entire urls after some processing root in order to track user activity. Many of our first attempts to filter based on this kind of encoding have since been rejected due to false positive requests. One such rule even blocked messages from the IMail list due to an encoded %40 in the tag line. One trick that seems to reduce the false positive rate is to define the root of the URL carefully and to ensure that the pattern match is at the root of the URL... so, for example, look for the href= or href= at the top of the url to avoid the kind of legitimate encoding that might come later. Hope this helps, _M PS: We do have a number of rules coding for patters like this and they are very successful - not as successful as we thought they would be, but still pretty good! Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
The problem is searching for http://%@% where % is the wildcard. I don't think this is possible with the current filters. No, that wouldn't be possible with the current filters (although the IMail filters might handle it). We will likely add two tests; one that looks for encoded characters within the domain of a URL (IE it would catch http://www.declud%65.com; but not http://www.declude.com/sp%61m;), and another that looks for an @ within the URL. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
Another good way to differentiate the encoded characters is to trap on encoding characters that _should_ be normal ascii letters or numbers. In theory, the only characters that should be encoded would be outside this range so it's a good bet that encoding normal characters is an obfuscation attempt. This will definitely need to be a weighted test though. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Thursday, December 19, 2002 1:32 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Hex Code URL's... | | | | The problem is searching for http://%@% where % is the wildcard. I | don't think this is possible with the current filters. | | No, that wouldn't be possible with the current filters | (although the IMail | filters might handle it). | | We will likely add two tests; one that looks for encoded | characters within | the domain of a URL (IE it would catch | http://www.declud%65.com; but not | http://www.declude.com/sp%61m;), and another that looks for an @ within the URL. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hex Code URL's...
Another good way to differentiate the encoded characters is to trap on encoding characters that _should_ be normal ASCII letters or numbers. In theory, the only characters that should be encoded would be outside this range so it's a good bet that encoding normal characters is an obfuscation attempt. This will definitely need to be a weighted test though. Wouldn't that also take a good amount of resources, since the string would have to be decoded twice, one for logical and one for hex? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
