Perhaps something that looks for a "%" symbol between "http://"; and the next "/" (or whitespace). I'm no regex wiz, but would
http://[\w\.-]*%[\w\.-]*/? do the job? rOD. -- "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered where this started and I think it goes back to the time I went to the circus, and a clown killed my dad." ----- Original Message ----- From: "Bill Becker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 22, 2002 12:49 PM Subject: [SAtalk] HTTP/URL rules > > I've noticed a new wave of spam with obfuscated URLs lately. There seem > to be a lot of them, and they are getting pretty fancy EG: > > href="http://www.g%65%6f%63%69t%69es.%63o%6d%2fto%70so%66t%77%253fh%2569%257 %34%2e%25%36%33tr%2e%2540%2565s.g%65%6f%256%33i%2574%256%39%256%35%2573.%25% 36%33om%252f%256eu%255%66%257%30%257%34%253%66hit%252e%2563%74r.@home%2ee%61 r%74h%6ci%6ek%2enet/%7eno%76i9?hit.ctr.@%6de%6db%65%72%73%2etripod%2ec%6fm/% 7ecart7" > > Anything with a '%' in the FQDN part of a URL would qualify as an > obfuscated URL, no? > > Would something like this be hard to detect with a regex? > > Regards, > Bill > > > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
