From johnml@michaweb.net Tue Apr 13 11:08:09 2004
From: John Fawcett <johnml@michaweb.net>
To: discuss@lists.surbl.org
Subject: [SURBL-Discuss] Redirects and obfuscated urls
Date: Tue, 13 Apr 2004 11:07:58 +0200
Message-ID: <005601c42136$d3a31f10$2001a8c0@michaweb.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6193589659506897159=="

--===============6193589659506897159==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

I saw a post on NANAE over the weekend about surbl
and it looks like one of the best ideas I've seen.

Almost every spam mail I get contains a spamvertized
domain, so with good data this method has the potential to
block nearly 100% of spam.

Spamvertized domains are an essential resource for
spammers and are usually longer lived then the
abused servers used to send out spam runs.

I've set up SpamAssassin and SpamCopURI.
I've checked the emails which are not being picked
up by surbl and there is a recurring pattern:
1) Redirects
2) Obfuscated urls

For example, this was not picked up.
<a
href=http://drs.yahoo.com/higherillomened./mensuraltalk/*%68ttp://enginery.s
hopinternetbuy.biz/%75n%73ub.html target=_blank>

shopinternetbuy.biz is in sc.surbl.org.

The logic of the parsing engine needs to be
enhanced to deal with these cases. This is
probably only the start, because spammers
will find other ways to get around surbl
once it starts being used widely.

I'd offer to look at it, but I wouldn't
know where to start with perl.

John





--===============6193589659506897159==--