-----Original Message-----
From: Theo Van Dinter <[EMAIL PROTECTED]>
To: Jesse Houwing <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Date: Thu, 22 Jul 2004 03:23:08 -0400
Subject: Re: SA 2.63 -> 3.0 causes degraded rule efficiency.
> On Thu, Jul 22, 2004 at 08:07:34AM +0200, Jesse Houwing wrote:
> > it is abused quite often in spam. Any chars before the = sign are
> > discarted and the hostname after the is is used instead, but to the
> user
> > the host before the = is shown (nifty).
>
> Heh. Neat. IE++ <G>
From: Theo Van Dinter <[EMAIL PROTECTED]>
To: Jesse Houwing <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Date: Thu, 22 Jul 2004 03:23:08 -0400
Subject: Re: SA 2.63 -> 3.0 causes degraded rule efficiency.
> On Thu, Jul 22, 2004 at 08:07:34AM +0200, Jesse Houwing wrote:
> > it is abused quite often in spam. Any chars before the = sign are
> > discarted and the hostname after the is is used instead, but to the
> user
> > the host before the = is shown (nifty).
>
> Heh. Neat. IE++ <G>
Qute isn't it ;)
> > But it seesm to do it too harshly, I'll try to find an example from
> my
> > corpus that should be tagged, but isn't in this case.
>
> Ok, I'd appreciate that. Right now, I tried:
>
> http://penistone.opoloveok=com/3/
> > But it seesm to do it too harshly, I'll try to find an example from
> my
> > corpus that should be tagged, but isn't in this case.
>
> Ok, I'd appreciate that. Right now, I tried:
>
> http://penistone.opoloveok=com/3/
I did a quick grep through my corpus, but it turned out that there
actually are just 10 such urls in there. The other hits were on messages
that had the . encoded as =3e. But I'm afraid that to catch those I'd have
to make this rule full (yuk!).
> and that has the rule hit in both 2.6 and 3.0. If I encode
in QP and
> change = to =3D, and also tried a base64 encoding, those also let both
> version's rules hit. I did a quick look around in my corpus for a spam
> with an appropriate URL, but didn't see one.
> change = to =3D, and also tried a base64 encoding, those also let both
> version's rules hit. I did a quick look around in my corpus for a spam
> with an appropriate URL, but didn't see one.
I seem to have only 10, but I've had a lot of people who asked for a
few updates/fixes telling me they had lots of hits, so I'll keep the
rule in it's current form.
Jesse
