In reviewing our block reports, I'm seeing a handful of legitimate mail
being rejected due to:
URIBL: fail, very strong obfuscated IP found in URI
I don't know enough about this technique to know for sure, but these
messages all seem to have URL's in them with tracking codes (I assume)
built in and I think that's what's triggering the erroneous catch. For
example:
http://etrack.thesender.com/t/ccbbaLT6QADKsHAuHEfaBFQA1CHQK42aaaa?t=2@031-040&f=esdfcpmgdseobebbbm_jx.Zocinscem.dnn&k=C2w&w=&s=gusqr://qkvr.hnpfmd.dnn/+esdccpmgdseerobfbbkm/opr1r
thesender.com (example here) is a the domain of a good company that the
recipient does business with and the email is legitimate.
I just disabled URIBLNoObfuscated to stop this problem, but we would like
to disable obfuscated hostnames or ip's.
I don't know if this is a good idea, but could the detection code be
tweaked to ignore "very strong" obfuscation unless it's in the hostname
part of a URL? For example:
http://www.sender.com/0x9A3F0800CEBF9E37 will PASS but
http://0x9A3F0800CEBF9E37/subpage/page will FAIL
As always, thanks.
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
