> Another good way to differentiate the encoded characters is to trap on
> encoding characters that _should_ be normal ASCII letters or numbers. In
> theory, the only characters that should be encoded would be outside this
> range so it's a good bet that encoding normal characters is an
> obfuscati
ation attempt.
This will definitely need to be a weighted test though.
_M
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED]] On Behalf Of R.
| Scott Perry
| Sent: Thursday, December 19, 2002 1:32 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Hex Code
The problem is searching for http://%@% where % is the wildcard. I don't
think this is possible with the current filters.
No, that wouldn't be possible with the current filters (although the IMail
filters might handle it).
We will likely add two tests; one that looks for encoded characters wi
PROTECTED]
> Subject: RE: [Declude.JunkMail] Hex Code URL's...
>
>
> We've done some research on this and experimented with some
> rules. More rule templates are coming, but as it turns out -
> filtering this is harder than you might expect - depending
> upon your s
]
| [mailto:[EMAIL PROTECTED]] On Behalf Of John
| Tolmachoff
| Sent: Thursday, December 19, 2002 12:57 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Hex Code URL's...
|
|
| > This is a trick to make the user think that they're going
| to a link on
| > yahoo.
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Smith
| Sent: Thursday, December 19, 2002 12:32 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Hex Code URL's...
|
|
| This is a trick to make the user think that they'
> This is a trick to make the user think that they're going to a link on
> yahoo.
> Actually this is redirecting them to IP address:
>
> 0xD5.0xEF.0x8F.0x9A
>
> or 213.239.143.154 and then encode the path.
Or even worse, it could be coded to access other parts of your computer,
such as Code Red
This is a trick to make the user think that they're going to a link on
yahoo.
Actually this is redirecting them to IP address:
0xD5.0xEF.0x8F.0x9A
or 213.239.143.154 and then encode the path.
I can't see any reason to do this.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL