On Tue, 6 Feb 2007, Theo Van Dinter wrote: > On Tue, Feb 06, 2007 at 06:01:50PM -0800, John D. Hardin wrote: > > It doesn't matter what obfuscation character they use if you're > > looking at the length of the part after the last period. I can't see > > them obfuscating with periods... > > Really? I could see > > http://www.example.c.om/ Remove the last "." ! > > Oh, and .om is a valid TLD (Oman).
You're evil. But then, trapping the too-long-or-invalid-TLD obfuscation has forced the spammer to use a more easily predictable obfuscation. $domain ~= /\.c\.om\// would be a strong spam sign. And/or put "c.om" into the URIBLs. (We should probably do that for all of the predictable obfuscations using this model *right now*! WS, are you listening?) -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Gun Control: The theory that a woman found dead in an alley, raped and strangled with her panty hose, is somehow morally superior to a woman explaining to police how her attacker got that fatal bullet wound. ----------------------------------------------------------------------- 6 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays