You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kevin Windham <ke...@gatorgraphics.com> on 2008/10/31 14:53:42 UTC
Rule for encoded/bugged URLs?
Is there a ruleset for encoded URLs or addresses? I have some examples
I can send, but so far I tried to send this email twice with the
example URLs, and it never makes it to the list, so I'm guessing
someone has some rules in place that I would like to be running on my
server.
TIA,
Kevin
Re: Rule for encoded/bugged URLs?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 31 Oct 2008, Kevin Windham wrote:
> On Oct 31, 2008, at 9:58 AM, Ned Slider wrote:
>
>> Not sure what you mean by encoded
>
> I just mean that the URLs look like they are encoded to capture identity.
I would suggest "tagged" might be a better way to express that than
"encoded".
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Today: Halloween
Re: Rule for encoded/bugged URLs?
Posted by Kevin Windham <ke...@gatorgraphics.com>.
On Oct 31, 2008, at 11:59 AM, Kelson wrote:
> Kevin Windham wrote:
>> The other sign is the encoded img tags. I can't recall seeing a
>> regular site use img tags that are encoded with no meaningful name.
>
> I take it you've never looked at the HTML code for, say, Flickr or
> Amazon? A *lot* of dynamic websites will use a catalog number (or
> equivalent) instead of a human-readable name for their image
> filenames.
No you're right. I should have said html emails and not site. I don't
think I've gotten any html emails from Amazon in a long time, and
never one from Flickr, but I looked at ebay and paypal emails I had
saved and those seem mostly normal. The names are shorter and more
meaningful, although I'm not sure you could get a rule to reliably
detect the difference. I would guess you could check for matches in
images and links that appear multiple times. It is simple for me to
see, but teaching the computer how to do it would be difficult.
However, the Message-ID appearing in any URLs or image names does seem
like an odd thing to do for a normal mail, and that might be useful
until the spammers change their tool(s).
Kevin
Re: Rule for encoded/bugged URLs?
Posted by Kelson <ke...@speed.net>.
Kevin Windham wrote:
> The other sign is the encoded img tags. I can't recall seeing a regular
> site use img tags that are encoded with no meaningful name.
I take it you've never looked at the HTML code for, say, Flickr or
Amazon? A *lot* of dynamic websites will use a catalog number (or
equivalent) instead of a human-readable name for their image filenames.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Rule for encoded/bugged URLs?
Posted by Kevin Windham <ke...@gatorgraphics.com>.
On Oct 31, 2008, at 9:58 AM, Ned Slider wrote:
> Kevin Windham wrote:
>> On Oct 31, 2008, at 9:25 AM, ram wrote:
>>> Use a pastebin to paste the entire mail and send us the the URL.
>> Here is the email.
>> <http://pastebin.com/m4d55a610>
>> Thanks,
>> Kevin
>
> Not sure what you mean by encoded - the fact it's part of an html
> formatted message?
I just mean that the URLs look like they are encoded to capture
identity. i.e. if you clicked on it, your email address would be
marked as a real address and more spam would surely follow. I rarely
get real email from an actual person that are encoded that way.
Sometimes I get them from companies, but there aren't normally so many
in the message, especially identical ones.
The other sign is the encoded img tags. I can't recall seeing a
regular site use img tags that are encoded with no meaningful name.
Also, in this case it seems the message-id itself is encoded in the
URLs of links and images. I think that would be a strange thing to do
for a regular site. It seems the spammer is really anxious to get any
kind of feedback that the message was viewed.
> Anyway, URIBLs should catch these. That particular domain is now
> listed on URIBL_Black and in XBL on spamhaus.
>
> http://lookup.uribl.com/?section=lookup
I do have URIBL running. I got a message earlier that scored a black.
It seems that quite a few of these get through before being listed.
Kevin
Re: Rule for encoded/bugged URLs?
Posted by Ned Slider <ne...@unixmail.co.uk>.
Kevin Windham wrote:
>
> On Oct 31, 2008, at 9:25 AM, ram wrote:
>> Use a pastebin to paste the entire mail and send us the the URL.
>
> Here is the email.
> <http://pastebin.com/m4d55a610>
>
> Thanks,
> Kevin
>
Not sure what you mean by encoded - the fact it's part of an html
formatted message?
Anyway, URIBLs should catch these. That particular domain is now listed
on URIBL_Black and in XBL on spamhaus.
http://lookup.uribl.com/?section=lookup
Re: Rule for encoded/bugged URLs?
Posted by Kevin Windham <ke...@gatorgraphics.com>.
On Oct 31, 2008, at 9:25 AM, ram wrote:
> Use a pastebin to paste the entire mail and send us the the URL.
Here is the email.
<http://pastebin.com/m4d55a610>
Thanks,
Kevin
Re: Rule for encoded/bugged URLs?
Posted by ram <ra...@netcore.co.in>.
On Fri, 2008-10-31 at 08:53 -0500, Kevin Windham wrote:
> Is there a ruleset for encoded URLs or addresses? I have some examples
> I can send, but so far I tried to send this email twice with the
> example URLs, and it never makes it to the list, so I'm guessing
> someone has some rules in place that I would like to be running on my
> server.
Use a pastebin to paste the entire mail and send us the the URL.