>...
>I lately received a lot of spam that contains a URL of with an ampersand
> like the following ones:
>
>http://mwbmphqks.com&uylnzptov306e74lz4hltp4l.wafddiwafd8.com.DEMUNGED/
>http://wuqvqspsa.com&gwvjb5hnn3f2f1zk4j.impynjimpy9.com.DEMUNGED/
>http://danwwzbmys.com&sxlxcemf2hnv6lky3ykao3k.telluristmj.net.DEMUNGED/
>http://ezgezdmw.com&znxrazblhr3fl31vivhf0kh.wafddiwafd8.com.DEMUNGED/
>http://rizssxavpbb.org&ktpvffvsy6hedrerd3zwd.choanosomeab.com.DEMUNGED/
>
>so spammers are trying to evade filters that consider '&' as a
>terminator, since rizssxavpbb.org is a random "domain" and won't be listed.
>
>The domains are now caught by various lists. but I think they can be
>caught independently. one way I see is to add a score if '&' is found in
>a URL. something like
>
>#ampresand in domain
>rawbody FOO_URI_AMPERSAND m{http://[\w\d\.\%\#]*\&}i
>describe FOO_URI_AMPERSAND URL contains ampersand
>score FOO_URI_AMPERSAND 1
>
>would this cause false positives? how to improve this rule? (we could
>also look for other suspicious chars).
>
>maybe add a similar rule to increase the score if the ampersand
>immediately follws a well-known tld (.org, .com,... at least)?
>
>
All Leo Kuvayev, both with the interesting contact email of
[EMAIL PROTECTED] for some. All his name servers and the "known"
addresses of:
Mahov, Igor [EMAIL PROTECTED]
Borovskoe shosse 25, 2
Moscow, MSK 119633
RU
+1-347-328-5225 fax: +1-347-328-5225
and
Jeff Westbury (DDSQK) [EMAIL PROTECTED]
77 Beak Street, #118
London, W1F 9DB W1F 9DB
United Kingdom
Phone: (1)3473285225 x
Of interest is that the Russian address has been changed to also
use the Brooklyn cell phone telephone number.
Paul Shupak
[EMAIL PROTECTED]
