On Mon, 2011-09-19 at 12:40 -0400, Bowie Bailey wrote: > On 9/19/2011 12:16 PM, Michael Orlitzky wrote: > > On 09/19/11 12:04, Bowie Bailey wrote: > >> He is not trying to match the IP address. He is trying to match an > >> unusual way of presenting the IP address that seems to occur primarily > >> in spam. > >> > >> Whether this is something that should be done in ClamAV or would be > >> better done by something like SpamAssassin is another question altogether. > >> > > Fair enough. I was just unhappy with the idea that "0.0.0.1" is somehow > > less obfuscated than "1". > > I would tend to say that "1" is fairly well obfuscated. Most people -- > even most technical people -- would not immediately see that as an IP > address. We have been conditioned to see IP addresses as XX.XX.XX.XX.
That's the whole problem as both are legal and correct (as in RFC-compliant) form. And you want to flag it as "spam"? > And while there are other valid ways of displaying an IP address, most > people will not immediately recognize a number or series of numbers as > an IP address if it is not in the familiar dotted-quad notation. But in the context of http://0.0.0.1/ or http://1/ most people should only think: Is this an IP address or a hostname? And it makes no real sense to have syntactically illegal links in spam mails. So the obfuscation so IMHO more for the tools to avoid matches on blacklists of domains and IP addresses. No, one should really extend the blacklist checks to the not so well known forms and not only dotted-quads. Bernd -- Bernd Petrovitsch Email : be...@petrovitsch.priv.at LUGA : http://www.luga.at _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
