The same thing can happen in the body, so it's worth knowing. Naturally the filter can easily be modified for use in the subject, and there is really no reason at all to be HTML encoding subject lines unless it is a non-Western European language, and still they should be base64 encoded I would think. I don't think the URL encoding techniques need be applied to subjects though, but searching a subject shouldn't be that process intensive.
Matt
Mike K wrote:
Sorry, just noticed, this was in the "subject".
Mike
----- Original Message ----- From: "Mike K" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 3:32 PM Subject: Re: [Declude.JunkMail] OBFUSCATION filter
May want to account for foreign languages also. I just received this spam while I was adding your URL obfuscation filter.
Недорогие звонки зарубеж!
Mike
----- Original Message ----- From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 12:40 PM Subject: Re: [Declude.JunkMail] OBFUSCATION filter
Pete,http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt
It's not redundant because the two by themselves only check for strings of two, while the combination checks for strings with one of each in succession. This way, if they go back and forth between the two, it will get caught as long as there is a "." or "@" between them, or as long as it is URL encoding followed by HTML encoding. I left out the other way around because it was only a two character string, ";%" and wanted to protect from FP's.
I do appreciate the feedback though...I do of course make mistakes.
Matt
Pete McNeil wrote:
Matt,
It appears that your coding for a combination of http & url encoding in urls is redundant since you capture both types individually. It's a small optimization, but worth mentioning.
_M
At 07:46 PM 9/14/2003 -0400, you wrote:
I've posted a newer version of the OBFUSCATION filter on my site. This contains the removal of the attachment thing and also the removal of 6 (of over 100) tests in order to be more forgiving, sans the PayPal issue.
If you find any false positives with this besides the Ticketmaster one that I've already counterbalanced, please let me know. I would imagine that posting to this group would be better than PM's unless others mind having discussion here. That way everyone would know about any issues ASAP.
Thanks,
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
