On Sep 19, 2011, at 12:04 PM, Bowie Bailey wrote: > On 9/19/2011 11:46 AM, Michael Orlitzky wrote: >>> A hostname cannot be all digits and except when the IP is used there >>> will be a TLD, so if you see a pattern such as >>> >>> http:// 123456789/ cgi-bin/innocent_code.pl >>> >>> (Ignore the spaces they are there to let this post slip by most antispam >>> detection) then you can surmise it is an attempt at obfuscation. >> I don't get it, what's the pattern we're looking for? An IP address is a >> number. Any way you specify it is fine. 123456789 is no more obfuscated >> than whatever it would be if you converted it to dotted quad. They both >> represent the same number. >> >> If you're trying to match a text pattern against an integer, you're >> doing it wrong. > > He is not trying to match the IP address. He is trying to match an > unusual way of presenting the IP address that seems to occur primarily > in spam. >
Basically an IPv4 address can be anything that inet_addr() can handle. See http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/commtrf2/inet_addr.htm _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml