On Fri, 13 Feb 2009, Benny Pedersen wrote:
On Fri, February 13, 2009 18:12, John Hardin wrote:
If a URI rule works, what's wrong with a body rule?
nothing wroung making bad rules either, point is that if bad rules
is needed one have also bad behaving browser problem
Why should the fact that a mail client won't render that URI as a
clickable link mean there shouldn't be a rule for it? Spammers have been
obfuscating URIs in this manner for a long time. There's nothing wrong
with rules for obfuscated URIs.
OT: Benny, could you refrain from setting your Reply-To to the email
address of the original poster? Setting it to the mailing list address is
fine, but setting it to the original poster is just passive-aggressive
rudeness.
On Fri, 13 Feb 2009, Franz Schwartau wrote:
So, does anyone know a more general solution for this kind of spam
instead of individual body rules?
You might try a rule like:
body URI_SPC_OBFU_SPC /\bwww\s{1,20}\.\s{1,20}\w{5,20}\s{1,20}\.\s{1,20}net\b/i
I think it would be risky to make the URI parser attempt too much
deobfuscation; however, accepting \s+\.\s+ as \. might be justified.
Perhaps \s+dot\s+ as well.
If the spammer uses something more complex they're reducing the likelihood
the recipient will bother to deobfuscate the URI, and it's more likely to
be caught by bayes, so I'd suggest the ROI to SA for making it more
aggressive isn't large enough.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
9 days until George Washington's 277th Birthday
