In an older episode (Sunday 01 May 2005 02:07), Loren Wilton wrote: > > Again and again, we receive messages that contain stuff like > > <a href=3d"http://advinc-ma=2enetfirms=2ecom/";> > > instead of > > <a href="http://advinc-ma.netfirms.com/";> > > > > That prevents uri / body rules like e.g. > > no/yes > > > /netfirms\.com/ > > and URIBL rules from being triggered. I wonder if there is some "function" > to > > automatically "de-code" such items instead of having to use stuff like > > /netfirms(?:\.|=2e)com/ and how i could use it with SA. > > URI rules should be hitting already; certainly on 3.0.
indeed, URI rules hit, thanks for the hint. > Body rules on 3.0 > may be failing. But then, I'm not sure that 3.0 will have the uri in the > body text. Rawbody and full rules will certainly fail. After all, that is > the whole reason the spammers do that extra extraneous encoding. > > But then, it is nice that they put that extra encoding in the uris. Makes > it easy to add points for useless uri encoding. :-) > > Loren
