[Declude.JunkMail] OBFUSCATION filter

[Matthew Bramble]

I put together a filter that checks for obfuscation of URL's, IP's and 
text using URL encoding, HTML encoding, a mix of URL and HTML encoding, 
Hexadecimal encoding, and octal encoding, though the latter two are 
commented out due to a lack of current use by spammers.  I've been 
careful to allow hits only on combinations of either letters and numbers 
or letters and numbers with HTTP address components in order to protect 
from false positives.  The technique is probably about the most 
foolproof non-specific indicative indicator of spam that there is, and 
should prove to be more reliable than most any other test out there.

My results from a smattering of E-mail tested with this filter are as 
follows:

   805 - Unique Messages
    34 - Filter Hits (4.2%)
     0 - False Positives
     4 - Made a difference (would have scored within 50% of my fail 
weight without the test)
     3 - Failed because of the test.

I'm going to attach the file to a separate posting just in case some 
people are already filtering for these techniques.  I might suggest 
trying not to include the text of the filter in replies, especially in 
PM's direct to my account :)

Special credit goes to Dan for leading me in the direction of obfuscation.

Matt

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.