Any rules for URLs like this?

["John D. Hardin" <jh...@impsec.org>]

An obfuscated URL like that should be fairly easy to detect - are
there any rules (e.g. SARE) for these?

X-Spam-Report: 
	*  2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
	*      [score: 0.9334]
	*  3.0 URIBL_SBLXBL Contains a URL listed in the SBL/XBL blocklist
	*      [URIs: heretodayloantomorrow.com]
	*  1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
	*      [URIs: heretodayloantomorrow.com]

www.w<www<]vesselschamplainsharpshootmshouldnth].heretodayloantomorrow.com=

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Apparently the Bush/Rove idea of being a "fiscal conservative" is
  to spend money like there's no tomorrow, run up huge deficits, and
  pray the Rapture happens before the bills come due.
                                       -- atul666 in Y! SCOX forum
-----------------------------------------------------------------------

Re: Any rules for URLs like this?

["John D. Hardin" <jh...@impsec.org>]

On Fri, 18 Aug 2006, Jeremy Fairbrass wrote:

> It seems to be a valid URL

> I actually didn't know you could use <>[] characters in a domain
> name

> I dunno what the RFCs say about the usage of such characters in a
> sub-domain...

*boggle*

I am going to have to re-read the RFCs as well - I, too, was assuming
<>[] were not valid in domain name parts...

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The fetters imposed on liberty at home have ever been forged out
  of the weapons provided for defense against real, pretended, or
  imaginary dangers from abroad.               -- James Madison, 1799
-----------------------------------------------------------------------

Re: Any rules for URLs like this?

[Jeremy Fairbrass <jf...@hotmail.com>]

I'm not sure it's actually obfuscated though?? It seems to be a valid URL, I
mean in terms of it existing in DNS as-is, and in terms of it working (click
on it and it takes you to the spammer's site). I actually didn't know you
could use <>[] characters in a domain name, but I guess you can - this one
works anyway. In any case, the question would be whether or not there are,
or should be, any rules to detect a URL with <>[] characters in it - I think 
it would be pretty easy to write such a rule if necessary, but would there 
be any chance of FPs as a result? I dunno what the RFCs say about the usage 
of such characters in a sub-domain...

Cheers,
Jeremy



"Loren Wilton" <lw...@earthlink.net> wrote in message 
news:022101c6c259$8f2bfb60$bf6911ac@watson1...
>>> Do you need rules for them?  It looks like URIBL was able to pick
>>> it up fine.
>>
>> Yes, but I want enough points to push it over the automatic-discard
>> threshhold. An extra point or two for that form of obfuscation would
>> be welcome (to me, at least).
>
> I wrote a rule against those sort of things about a month back.  I don't 
> recall just off the top of my head what the masscheck results were, but I 
> don't recall them being real impressive at the time.  Possibly I concluded 
> that the rule wasn't quite correct and was having problems hitting nearby 
> html entities.
>
>        Loren 

Re: Any rules for URLs like this?

[Loren Wilton <lw...@earthlink.net>]

>> Do you need rules for them?  It looks like URIBL was able to pick
>> it up fine.
>
> Yes, but I want enough points to push it over the automatic-discard
> threshhold. An extra point or two for that form of obfuscation would
> be welcome (to me, at least).

I wrote a rule against those sort of things about a month back.  I don't 
recall just off the top of my head what the masscheck results were, but I 
don't recall them being real impressive at the time.  Possibly I concluded 
that the rule wasn't quite correct and was having problems hitting nearby 
html entities.

        Loren

Re: Any rules for URLs like this?

["John D. Hardin" <jh...@impsec.org>]

On Thu, 17 Aug 2006, Kelson Vibber wrote:

> John D. Hardin wrote:
> > An obfuscated URL like that should be fairly easy to detect - are
> > there any rules (e.g. SARE) for these?
> 
> Do you need rules for them?  It looks like URIBL was able to pick
> it up fine.

Yes, but I want enough points to push it over the automatic-discard
threshhold. An extra point or two for that form of obfuscation would
be welcome (to me, at least).

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 Windows and its users got mentioned at home today, after my wife the
 psych major brought up Seligman's theory of "learned helplessness."
					-- Dan Birchall in a.s.r
-----------------------------------------------------------------------

Re: Any rules for URLs like this?

[Kelson Vibber <ke...@speed.net>]

John D. Hardin wrote:
> An obfuscated URL like that should be fairly easy to detect - are
> there any rules (e.g. SARE) for these?

Do you need rules for them?  It looks like URIBL was able to pick it up
fine.

It picks it up so well, in fact, that the list rejected my first attempt 
to reply until I removed the example.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>