On 9/19/2011 11:46 AM, Michael Orlitzky wrote: >> A hostname cannot be all digits and except when the IP is used there >> will be a TLD, so if you see a pattern such as >> >> http:// 123456789/ cgi-bin/innocent_code.pl >> >> (Ignore the spaces they are there to let this post slip by most antispam >> detection) then you can surmise it is an attempt at obfuscation. > I don't get it, what's the pattern we're looking for? An IP address is a > number. Any way you specify it is fine. 123456789 is no more obfuscated > than whatever it would be if you converted it to dotted quad. They both > represent the same number. > > If you're trying to match a text pattern against an integer, you're > doing it wrong.
He is not trying to match the IP address. He is trying to match an unusual way of presenting the IP address that seems to occur primarily in spam. Whether this is something that should be done in ClamAV or would be better done by something like SpamAssassin is another question altogether. -- Bowie _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
