From: Jason L Tibbitts III [mailto:ti...@math.uh.edu] >> "MD" == McDonald, Dan <dan.mcdon...@austinenergy.com> writes: > >MD> The rules I posted last night catch those. They switched from <MD> underscores to commas this morning, and my rules still catch them.
>I still wonder, though, if we shouldn't be turning these back into >hostnames and looking them up in the regular URI blacklists, because >the looser we make the rules, the larger the chance of false >positives. That's why I have the "exclude two dots" part of the rule. My first attempt was getting a lot of false positives. Anyone obfuscating the domain name, IMHO, is definitely asking to be blocked. -- Dan McDonald, CCIE # 2495, CISSP # 78281, CNX