John D. Hardin wrote: > Re: http://isc.sans.org/diary.php?storyid=1342 > > (1) Are there any rules currently in SA or SARE that will trigger on > encoded characters in the hostname part of a URL? > > (2) Does the URL extractor for SURBL checks properly deal with > URL-encoded hostnames?
Yes, SA in general deals with most forms of URI encoding. The surbl checks are not confused by the use of ".%63%6f%6d" instead of ".com". The general SA architecture decodes these long before the surbl rules see it. I also don't understand why this is a new thing to the ISC handler's diary. Spammers have been using that trick for a LOOOOOONG time. It's more common in phishing than spam, but it's still common in both.