Matt
# OBFUSCATION # Last Update: 09/14/2003 # # Description: # Encoding of letters and numbers in E-mail is unnecessary, however various techniques are # sometimes used by spammers to hide from filters, even mixing multiple techniques in URL's at # times. This filter will detect text and URL encoding only in combinations where multiple # encoded numbers and characters are in succession or mixed with HTTP address components. More # information on URL obfuscation techniques can be found at: http://www.pc-help.org/obscure.htm # # Usage: # OBFUSCATION filter C:\IMail\Declude\Obfuscation.txt x 7 0 # # False Positives: # Web designers and programmers passing code, ASCII text art, and legitimate bulk mailers that # needlessly URL encode letters and numbers in their script arguments (only special characters # are necessary). False positives are extremely rare.
# Counterbalances: # Negative weighting is applied for responsible bulk mailers that fail this test. In order to futhur # protect from the possibility of HTML or scripting file attachments triggering this filter, an # optional counterbalance for all E-mail with attachments can be used, however using it would mark # all E-mail with attachments, however it would not score them. # # Test Exclusions: # Attachments, and Ticketmaster. #BODY -7 CONTAINS content-disposition: attachment MAILFROM -7 ENDSWITH ticketmaster.com # URL Encoded Obfuscation: # This technique is used to obfuscate URL's. The filter will only match two characters in # succession with the first being a letter or number in order to protect form false positives. # # Example: # http://%77%77%77.%67%6F%6F%67%6C%65.%63%6F%6D/ # 0-9 BODY 0 CONTAINS %30% BODY 0 CONTAINS %31% BODY 0 CONTAINS %32% BODY 0 CONTAINS %33% BODY 0 CONTAINS %34% BODY 0 CONTAINS %35% BODY 0 CONTAINS %36% BODY 0 CONTAINS %37% BODY 0 CONTAINS %38% BODY 0 CONTAINS %39% # A-Z BODY 0 CONTAINS %41% BODY 0 CONTAINS %42% BODY 0 CONTAINS %43% BODY 0 CONTAINS %44% BODY 0 CONTAINS %45% BODY 0 CONTAINS %46% BODY 0 CONTAINS %47% BODY 0 CONTAINS %48% BODY 0 CONTAINS %49% BODY 0 CONTAINS %4a% BODY 0 CONTAINS %4b% BODY 0 CONTAINS %4c% BODY 0 CONTAINS %4d% BODY 0 CONTAINS %4e% BODY 0 CONTAINS %4f% BODY 0 CONTAINS %50% BODY 0 CONTAINS %51% BODY 0 CONTAINS %52% BODY 0 CONTAINS %53% BODY 0 CONTAINS %54% BODY 0 CONTAINS %55% BODY 0 CONTAINS %56% BODY 0 CONTAINS %57% BODY 0 CONTAINS %58% BODY 0 CONTAINS %59% BODY 0 CONTAINS %5a% # a-z BODY 0 CONTAINS %61% BODY 0 CONTAINS %62% BODY 0 CONTAINS %63% BODY 0 CONTAINS %64% BODY 0 CONTAINS %65% BODY 0 CONTAINS %66% BODY 0 CONTAINS %67% BODY 0 CONTAINS %68% BODY 0 CONTAINS %69% BODY 0 CONTAINS %6a% BODY 0 CONTAINS %6b% BODY 0 CONTAINS %6c% BODY 0 CONTAINS %6d% BODY 0 CONTAINS %6e% BODY 0 CONTAINS %6f% BODY 0 CONTAINS %70% BODY 0 CONTAINS %71% BODY 0 CONTAINS %72% BODY 0 CONTAINS %73% BODY 0 CONTAINS %74% BODY 0 CONTAINS %75% BODY 0 CONTAINS %76% BODY 0 CONTAINS %77% BODY 0 CONTAINS %78% BODY 0 CONTAINS %79% BODY 0 CONTAINS %7a% # With HTTP BODY 0 CONTAINS http://% BODY 0 CONTAINS [EMAIL PROTECTED] BODY 0 CONTAINS %.% # HTML Encoded Obfuscation: # This technique is used to obfuscate URL's and hide keywords. The filter will only match # two characters in succession with the first being a letter or number in order to protect # form false positives. # # Examples: # <A HREF="http://www.google.com/";>Google</A> # VIAGRA # 0-9 BODY 0 CONTAINS 0&# BODY 0 CONTAINS 1&# BODY 0 CONTAINS 2&# BODY 0 CONTAINS 3&# BODY 0 CONTAINS 4&# BODY 0 CONTAINS 5&# BODY 0 CONTAINS 6&# BODY 0 CONTAINS 7&# BODY 0 CONTAINS 8&# BODY 0 CONTAINS 9&# # A-Z BODY 0 CONTAINS A&# BODY 0 CONTAINS B&# BODY 0 CONTAINS C&# BODY 0 CONTAINS D&# BODY 0 CONTAINS E&# BODY 0 CONTAINS F&# BODY 0 CONTAINS G&# BODY 0 CONTAINS H&# BODY 0 CONTAINS I&# BODY 0 CONTAINS J&# BODY 0 CONTAINS K&# BODY 0 CONTAINS L&# BODY 0 CONTAINS M&# BODY 0 CONTAINS N&# BODY 0 CONTAINS O&# BODY 0 CONTAINS P&# BODY 0 CONTAINS Q&# BODY 0 CONTAINS R&# BODY 0 CONTAINS S&# BODY 0 CONTAINS T&# BODY 0 CONTAINS U&# BODY 0 CONTAINS V&# BODY 0 CONTAINS W&# BODY 0 CONTAINS X&# BODY 0 CONTAINS Y&# BODY 0 CONTAINS Z&# # a-z BODY 0 CONTAINS a&# BODY 0 CONTAINS b&# BODY 0 CONTAINS c&# BODY 0 CONTAINS d&# BODY 0 CONTAINS e&# BODY 0 CONTAINS f&# BODY 0 CONTAINS g&# BODY 0 CONTAINS h&# BODY 0 CONTAINS i&# BODY 0 CONTAINS j&# BODY 0 CONTAINS k&# BODY 0 CONTAINS l&# BODY 0 CONTAINS m&# BODY 0 CONTAINS n&# BODY 0 CONTAINS o&# BODY 0 CONTAINS p&# BODY 0 CONTAINS q&# BODY 0 CONTAINS r&# BODY 0 CONTAINS s&# BODY 0 CONTAINS t&# BODY 0 CONTAINS u&# BODY 0 CONTAINS v&# BODY 0 CONTAINS w&# BODY 0 CONTAINS x&# BODY 0 CONTAINS y&# BODY 0 CONTAINS z&# # With HTTP BODY 0 CONTAINS http://&# BODY 0 CONTAINS ;@&# BODY 0 CONTAINS ;.&# # Combination URL and HTML Encoded Obfuscation: # This technique is used to obfuscate URL's. The filter will match two differently encoded # characters in succession or separated by HTTP address components. # # Example: # <A HREF="http://%77w%77.g%6Fo%67l%65.c%6Fm/";>Google</A> BODY 0 CONTAINS %&# BODY 0 CONTAINS %@&# BODY 0 CONTAINS ;@% BODY 0 CONTAINS %.&# BODY 0 CONTAINS ;.% # Hexadecimal IP Obfuscation # This technique is used to obfuscate IP addresses. The filter will only match a hexadecimal # number found immediately following one of three possible HTTP address components. Commented # out due to a lack of current use in spam. # # Example: # http://0xd8.0xef.0x25.0x64/ #BODY 0 CONTAINS http://0x0 #BODY 0 CONTAINS http://0x1 #BODY 0 CONTAINS http://0x2 #BODY 0 CONTAINS http://0x3 #BODY 0 CONTAINS http://0x4 #BODY 0 CONTAINS http://0x5 #BODY 0 CONTAINS http://0x6 #BODY 0 CONTAINS http://0x7 #BODY 0 CONTAINS http://0x8 #BODY 0 CONTAINS http://0x9 #BODY 0 CONTAINS http://0xa #BODY 0 CONTAINS http://0xb #BODY 0 CONTAINS http://0xc #BODY 0 CONTAINS http://0xd #BODY 0 CONTAINS http://0xe #BODY 0 CONTAINS http://0xf #BODY 0 CONTAINS @0x0 #BODY 0 CONTAINS @0x1 #BODY 0 CONTAINS @0x2 #BODY 0 CONTAINS @0x3 #BODY 0 CONTAINS @0x4 #BODY 0 CONTAINS @0x5 #BODY 0 CONTAINS @0x6 #BODY 0 CONTAINS @0x7 #BODY 0 CONTAINS @0x8 #BODY 0 CONTAINS @0x9 #BODY 0 CONTAINS @0xa #BODY 0 CONTAINS @0xb #BODY 0 CONTAINS @0xc #BODY 0 CONTAINS @0xd #BODY 0 CONTAINS @0xe #BODY 0 CONTAINS @0xf #BODY 0 CONTAINS .0x0 #BODY 0 CONTAINS .0x1 #BODY 0 CONTAINS .0x2 #BODY 0 CONTAINS .0x3 #BODY 0 CONTAINS .0x4 #BODY 0 CONTAINS .0x5 #BODY 0 CONTAINS .0x6 #BODY 0 CONTAINS .0x7 #BODY 0 CONTAINS .0x8 #BODY 0 CONTAINS .0x9 #BODY 0 CONTAINS .0xa #BODY 0 CONTAINS .0xb #BODY 0 CONTAINS .0xc #BODY 0 CONTAINS .0xd #BODY 0 CONTAINS .0xe #BODY 0 CONTAINS .0xf # Octal IP Obfuscation: # This technique is used to obfuscate IP addresses. Due to the possibility of false positives, # the filter will only match an HTTP address component followed by two zeros which indicates a # high probability of an octal number, though only one zero is required for proper encoding. # Commented out due to a lack of current use in spam. # # Example: # http://0330.000357.0063.00000144/ #BODY 0 CONTAINS http://00 #BODY 0 CONTAINS @00
