John D. Hardin wrote:
On Tue, 6 Feb 2007, Kenneth Porter wrote:
The latest obfuscation cleverly uses a dash, a legal domain
character, so one can no longer match based on non-domain
characters.
I think the most robust non-DNS test would be on the length of the TLD
in the obfuscated domain.
What's the longest valid TLD these days? "info" at 4?
Perhaps something like:
,https?://[^/]{1,80}\.[^./]{5},
(Refinements, of course, solicited. That's totally off the top of my
head and untested.)
There are too many possible obfuscations using valid characters.
This extends to non url spam as well, of course.. ie: "replace the "R"
with a "P" for the stock symbol spam, etc.
We need to have a good rule(s) for all of the variations of the
'remove|replace|substitute' text.
Ken A.
Pacific.Net
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control: The theory that a woman found dead in an alley, raped
and strangled with her panty hose, is somehow morally superior to
a woman explaining to police how her attacker got that fatal bullet
wound.
-----------------------------------------------------------------------
6 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays
