We've seen a lot of this as well, and frankly it works against them. There are seldom legitimate reasons to obscure a web link - particularly by coding it as binary or as a long integer. The Message Sniffer rule base some aggressive rules built to trap any web link that starts off with more than 3 digits in a row, and a large number of specific rules to numbered or otherwise coded web links. (These are very common in porn spam)
These might make good tests Scott ;-) If you (anyone) decide to add rules like this to your filters be cautious not to go too wild with them. There are a number of legitimate services, internal corporate software, and other legitimate reasons to use numbered links. You must tune to suit your tastes. _M | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan | Sent: Wednesday, September 04, 2002 5:10 PM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] Encoded Email... how? | | | We are actually finding more & more SPAM are coming that way. | We are only catching them when they put interesting words in | the subject. | | Also what we are finding is they are turning the links and | addresses into binary numbers, therefore making it impossible | to detect the links and trap them... Such as majority of | porn-sites. We get links like: | http://0111010101010101010101010101010... How I have no clue? Regards, Kami -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, September 04, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Encoded Email... how? Howdy, This one has me baffled. This email (spam) showed up as what appeared to be an html formatted message. When I view the raw message it appears as an encoded attachment making it impossible to filter on any body content. How are they doing it and how do we stop it? Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
