Re: A new technique to disguise a target URL in spam

["E.Kellinis" <me () cipher org uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This kind of filtering can probably apply to almost all fake emails
we all receive from time to time. The techniques spammers rely 
use  the following methods to fake their identity : 

A Variation on Dotted-Decimal IPs 
Octal IP address
Not Dotless, But Less Dots
Octal IP Addresses 

The password field some times is used
http://www.sun.com () www cipher org uk

Look at : http://www.pc-help.org/obscure.htm

and Javascript on urls can be suspicious sinice it is mostly used on 
scam emails exploiting cross site-scripting in different websites.

In This link  http://www=2emcafee=2ecom/ 
the Hex translated wrongly so instead of %2E  , =2E came out 
Hex value %2E  is the dot '.'


A filter containing all that can probably cut off big amount of spam

Manos



=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBQHGCiU5R4JfncDA4EQKq1wCeKw4CkGgW3ZXBVSpU5AuL4xWrJtUAoMrj
leeqNsqYj7uryotQsusvTNIR
=CnFa
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------