On Mon, Apr 24, 2006 at 09:27:47PM -0400, Matt Kettler wrote: > > Is URI the way to go when tracking obsfucation, as in: > > uri __LINKAGE_A284 [EMAIL PROTECTED]
Yes. The uri rules run over both the raw version and the decoded versions. > Neither of the above will work.. Both uri and rawbody rules are run > after QP (and base 64) decoding is done. FWIW, the character encoding (w = %77) isn't QP or base64, it's just encoding. > There's some proposals to have a more configurable set of choices but > right now "raw" is really "half cooked", and uri is "fully cooked" just > like body. uri is a large array of all the uris found in the mail. for each raw one found in the mail, SA goes through and "canonicalizes" them (remove obfuscation, find redirector patterns, etc,) and then all of those (raw and canonical) are run through by the uri rules. -- Randomly Generated Tagline: "Well, last time I checked, I wasn't a trout ..." - rei.com radio ad
pgp1PlMpVocDb.pgp
Description: PGP signature
