>... >I lately received a lot of spam that contains a URL of with an ampersand > like the following ones: > >http://mwbmphqks.com&uylnzptov306e74lz4hltp4l.wafddiwafd8.com.DEMUNGED/ >http://wuqvqspsa.com&gwvjb5hnn3f2f1zk4j.impynjimpy9.com.DEMUNGED/ >http://danwwzbmys.com&sxlxcemf2hnv6lky3ykao3k.telluristmj.net.DEMUNGED/ >http://ezgezdmw.com&znxrazblhr3fl31vivhf0kh.wafddiwafd8.com.DEMUNGED/ >http://rizssxavpbb.org&ktpvffvsy6hedrerd3zwd.choanosomeab.com.DEMUNGED/ > >so spammers are trying to evade filters that consider '&' as a >terminator, since rizssxavpbb.org is a random "domain" and won't be listed. > >The domains are now caught by various lists. but I think they can be >caught independently. one way I see is to add a score if '&' is found in >a URL. something like > >#ampresand in domain >rawbody FOO_URI_AMPERSAND m{http://[\w\d\.\%\#]*\&}i >describe FOO_URI_AMPERSAND URL contains ampersand >score FOO_URI_AMPERSAND 1 > >would this cause false positives? how to improve this rule? (we could >also look for other suspicious chars). > >maybe add a similar rule to increase the score if the ampersand >immediately follws a well-known tld (.org, .com,... at least)? > >
All Leo Kuvayev, both with the interesting contact email of [EMAIL PROTECTED] for some. All his name servers and the "known" addresses of: Mahov, Igor [EMAIL PROTECTED] Borovskoe shosse 25, 2 Moscow, MSK 119633 RU +1-347-328-5225 fax: +1-347-328-5225 and Jeff Westbury (DDSQK) [EMAIL PROTECTED] 77 Beak Street, #118 London, W1F 9DB W1F 9DB United Kingdom Phone: (1)3473285225 x Of interest is that the Russian address has been changed to also use the Brooklyn cell phone telephone number. Paul Shupak [EMAIL PROTECTED]