On Thu, 18 May 2006, Matt Kettler wrote: > John D. Hardin wrote: > > Re: http://isc.sans.org/diary.php?storyid=1342 > > > > (1) Are there any rules currently in SA or SARE that will trigger on > > encoded characters in the hostname part of a URL? > > > > (2) Does the URL extractor for SURBL checks properly deal with > > URL-encoded hostnames? > > Yes, SA in general deals with most forms of URI encoding. > > The surbl checks are not confused by the use of ".%63%6f%6d" instead of > ".com". > The general SA architecture decodes these long before the surbl rules see it.
Does encoding plain text ([A-Za-z0-9._]) in a URL add any points? > I also don't understand why this is a new thing to the ISC > handler's diary. Spammers have been using that trick for a > LOOOOOONG time. It's more common in phishing than spam, but it's > still common in both. <shrug> -- John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The problem is when people look at Yahoo, slashdot, or groklaw and jump from obvious and correct observations like "Oh my God, this place is teeming with utter morons" to incorrect conclusions like "there's nothing of value here". -- Al Petrofsky, in Y! SCOX -----------------------------------------------------------------------
