# ================================================================================================ #
# OBFUSCATION                                      Copyright 2003 - MailPure - All Rights Reserved #
# ================================================================================================ #
# ================================================================================================ #
# Version:           2.1.0                                                                         #
# Last Modified:     01/08/2004                                                                    #
# Author:            Matthew Bramble                                                               #
# Updates:           http://www.mailpure.com/software/decludefilters/                              #
# Bug Reports:       bugs[at]mailpure.com                                                          #
# Compatibility:     Declude JunkMail Pro v1.77i7+                                                 #
# ================================================================================================ #
# ================================================================================================ #
# Description:                                                                                     #
# Encoding of letters and numbers in E-mail is unnecessary, however various techniques are         #
# sometimes used by spammers to hide from filters, even mixing multiple techniques in URL's at     #
# times.  This filter will detect text and URL encoding only in combinations where multiple        #
# encoded numbers and characters are in succession or mixed with HTTP address components.  More    #
# information on URL obfuscation techniques can be found at: http://www.pc-help.org/obscure.htm    #
#                                                                                                  #
#                                                                                                  #
# Recommended Usage:                                                                               #
# Place the Obfuscation.txt file in a Filters sub-directory.  Configure the filter in your         #
# Global.cfg but do not give it any score there.  Adjust scoring by modifying the Scoring entries  #
# just below this comment block.  Place the filter in your configuration near the bottom of your   #
# list of custom filters, but above most filters that make moderate use of BODY searches.  An      #
# example of usage in the Global.cfg file is as follows:                                           #
#                                                                                                  #
#     -----Global.cfg-----                                                                         #
#     OBFUSCATION     filter   C:\IMail\Declude\Filters\Obfuscation.txt     x   0   0              #
#                                                                                                  #
#                                                                                                  #
# Conflicts:                                                                                       #
# Likely to produce hits with the @LINKED, FRAUDDOMAINS, IPLINKED and ZAPTHEDINGBAT filters.       #
#                                                                                                  #
#                                                                                                  #
# False Positives:                                                                                 #
# Web designers and programmers passing inline code, ASCII text art, and legitimate bulk mailers   #
# that needlessly URL encode letters and numbers in their script arguments (only special           #
# characters are necessary).  False positives are extremely rare.                                  #
#                                                                                                  #
#                                                                                                  #
# Special Scoring:                                                                                 #
# Adjust the scoring of this filter by changing the MAXWEIGHT, and determine whether or not the    #
# filter will be run by adjusting the SKIPIFWEIGHT setting.  Set MAXWEIGHT to 70% of your system's #
# hold weight.  The Main Filter section, which is located at the bottom of this file, is           #
# configured to assess 7 points for each hit, and should be modified to match the MAXWEIGHT        #
# setting.  The MAXWEIGHT setting will limit the total score that this filter can produce to be no #
# more than the amount listed and immediately end processing of the filter once the MAXWEIGHT is   #
# reached.  Set SKIPIFWEIGHT to 100% of your system's delete weight, plus 100% of Declude's built  #
# in negative weight tests.  The default scoring is based on a hold weight of 10, a delete weight  #
# of 25, and 3 points possible from Declude's built in negative weight tests (REVDNS, IPNOTINMX,   #
# NOLEGITCONTENT, etc.).  Do not enter a score in the Global.cfg for this filter.                  #
# ================================================================================================ #

SKIPIFWEIGHT	28
MAXWEIGHT 	7


# ================================================================================================ #
# Counterbalances:                                                                                 #
# END functionality is utilized to halt processing of the filter and return no score in the event  #
# that a counterbalancing condition is found.  Counterbalances should include triggers for         #
# messages from legitimate senders that repeatedly fail this test as well as UNICODE attachments.  #
# ================================================================================================ #

# Legitimate Senders:
# Counterbalances senders that have been found to repeatedly use URL and/or HTML encoding of
# letters and numbers.

MAILFROM	END	ENDSWITH	ticketmaster.com
MAILFROM	END	ENDSWITH	economist.com


# UNICODE Attachments:
# Counterbalances UNICODE attachments which can result in character strings that trigger the test.

BODY		END	CONTAINS	begin 666 


# ================================================================================================ #
# Main Filter:                                                                                     #
# Looks for URL strings that contain URL encoded non-printing characters.                          #
# ================================================================================================ #

# URL Encoded Obfuscation:
# This technique is used to obfuscate URL's.  The filter will only match two characters in
# succession with the first being a letter or number in order to protect from false positives.
#
# Example:
# http://%77%77%77.%67%6F%6F%67%6C%65.%63%6F%6D/

# 0-9

BODY		7	CONTAINS	%30%
BODY		7	CONTAINS	%31%
BODY		7	CONTAINS	%32%
BODY		7	CONTAINS	%33%
BODY		7	CONTAINS	%34%
BODY		7	CONTAINS	%35%
BODY		7	CONTAINS	%36%
BODY		7	CONTAINS	%37%
BODY		7	CONTAINS	%38%
BODY		7	CONTAINS	%39%

# A-Z

BODY		7	CONTAINS	%41%
BODY		7	CONTAINS	%42%
BODY		7	CONTAINS	%43%
BODY		7	CONTAINS	%44%
BODY		7	CONTAINS	%45%
BODY		7	CONTAINS	%46%
BODY		7	CONTAINS	%47%
BODY		7	CONTAINS	%48%
BODY		7	CONTAINS	%49%
BODY		7	CONTAINS	%4a%
BODY		7	CONTAINS	%4b%
BODY		7	CONTAINS	%4c%
BODY		7	CONTAINS	%4d%
BODY		7	CONTAINS	%4e%
BODY		7	CONTAINS	%4f%
BODY		7	CONTAINS	%50%
BODY		7	CONTAINS	%51%
BODY		7	CONTAINS	%52%
BODY		7	CONTAINS	%53%
BODY		7	CONTAINS	%54%
BODY		7	CONTAINS	%55%
BODY		7	CONTAINS	%56%
BODY		7	CONTAINS	%57%
BODY		7	CONTAINS	%58%
BODY		7	CONTAINS	%59%
BODY		7	CONTAINS	%5a%

# a-z

BODY		7	CONTAINS	%61%
BODY		7	CONTAINS	%62%
BODY		7	CONTAINS	%63%
BODY		7	CONTAINS	%64%
BODY		7	CONTAINS	%65%
BODY		7	CONTAINS	%66%
BODY		7	CONTAINS	%67%
BODY		7	CONTAINS	%68%
BODY		7	CONTAINS	%69%
BODY		7	CONTAINS	%6a%
BODY		7	CONTAINS	%6b%
BODY		7	CONTAINS	%6c%
BODY		7	CONTAINS	%6d%
BODY		7	CONTAINS	%6e%
BODY		7	CONTAINS	%6f%
BODY		7	CONTAINS	%70%
BODY		7	CONTAINS	%71%
BODY		7	CONTAINS	%72%
BODY		7	CONTAINS	%73%
BODY		7	CONTAINS	%74%
BODY		7	CONTAINS	%75%
BODY		7	CONTAINS	%76%
BODY		7	CONTAINS	%77%
BODY		7	CONTAINS	%78%
BODY		7	CONTAINS	%79%
BODY		7	CONTAINS	%7a%


# HTML Encoded Obfuscation:
# This technique is used to obfuscate URL's and hide keywords.  The filter will only match
# two characters in succession with the first being a letter or number in order to protect
# from false positives.
#
# Examples:
# <A HREF="http://&#119;&#119;&#119;.&#103;&#111;&#111;&#103;&#108;&#101;.&#99;&#111;&#109;/">Google</A>
# V&#73;AG&#82;A

# 0-9

BODY		7	CONTAINS	&#48;&#
BODY		7	CONTAINS	&#49;&#
BODY		7	CONTAINS	&#50;&#
BODY		7	CONTAINS	&#51;&#
BODY		7	CONTAINS	&#52;&#
BODY		7	CONTAINS	&#53;&#
BODY		7	CONTAINS	&#54;&#
BODY		7	CONTAINS	&#55;&#
BODY		7	CONTAINS	&#56;&#
BODY		7	CONTAINS	&#57;&#

# A-Z

BODY		7	CONTAINS	&#65;&#
BODY		7	CONTAINS	&#66;&#
BODY		7	CONTAINS	&#67;&#
BODY		7	CONTAINS	&#68;&#
BODY		7	CONTAINS	&#69;&#
BODY		7	CONTAINS	&#70;&#
BODY		7	CONTAINS	&#71;&#
BODY		7	CONTAINS	&#72;&#
BODY		7	CONTAINS	&#73;&#
BODY		7	CONTAINS	&#74;&#
BODY		7	CONTAINS	&#75;&#
BODY		7	CONTAINS	&#76;&#
BODY		7	CONTAINS	&#77;&#
BODY		7	CONTAINS	&#78;&#
BODY		7	CONTAINS	&#79;&#
BODY		7	CONTAINS	&#80;&#
BODY		7	CONTAINS	&#81;&#
BODY		7	CONTAINS	&#82;&#
BODY		7	CONTAINS	&#83;&#
BODY		7	CONTAINS	&#84;&#
BODY		7	CONTAINS	&#85;&#
BODY		7	CONTAINS	&#86;&#
BODY		7	CONTAINS	&#87;&#
BODY		7	CONTAINS	&#88;&#
BODY		7	CONTAINS	&#89;&#
BODY		7	CONTAINS	&#90;&#

# a-z

BODY		7	CONTAINS	&#97;&#
BODY		7	CONTAINS	&#98;&#
BODY		7	CONTAINS	&#99;&#
BODY		7	CONTAINS	&#100;&#
BODY		7	CONTAINS	&#101;&#
BODY		7	CONTAINS	&#102;&#
BODY		7	CONTAINS	&#103;&#
BODY		7	CONTAINS	&#104;&#
BODY		7	CONTAINS	&#105;&#
BODY		7	CONTAINS	&#106;&#
BODY		7	CONTAINS	&#107;&#
BODY		7	CONTAINS	&#108;&#
BODY		7	CONTAINS	&#109;&#
BODY		7	CONTAINS	&#110;&#
BODY		7	CONTAINS	&#111;&#
BODY		7	CONTAINS	&#112;&#
BODY		7	CONTAINS	&#113;&#
BODY		7	CONTAINS	&#114;&#
BODY		7	CONTAINS	&#115;&#
BODY		7	CONTAINS	&#116;&#
BODY		7	CONTAINS	&#117;&#
BODY		7	CONTAINS	&#118;&#
BODY		7	CONTAINS	&#119;&#
BODY		7	CONTAINS	&#120;&#
BODY		7	CONTAINS	&#121;&#
BODY		7	CONTAINS	&#122;&#


# Extra Zeros in HTML Obfuscation
# This technique is used to hide HTML obfuscation from filters.
#
# Example:
# V&#0073;AG&#0000082;A

BODY		7	CONTAINS	&#01
BODY		7	CONTAINS	&#04
BODY		7	CONTAINS	&#05
BODY		7	CONTAINS	&#06
BODY		7	CONTAINS	&#07
BODY		7	CONTAINS	&#08
BODY		7	CONTAINS	&#09
BODY		7	CONTAINS	&#001
BODY		7	CONTAINS	&#004
BODY		7	CONTAINS	&#005
BODY		7	CONTAINS	&#006
BODY		7	CONTAINS	&#007
BODY		7	CONTAINS	&#008
BODY		7	CONTAINS	&#009
BODY		7	CONTAINS	&#000


# Combination URL and HTML Encoded Obfuscation:
# This technique is used to obfuscate URL's.  The filter will match two differently encoded
# characters in succession or separated by HTTP address components.
#
# Example:
# <A HREF="http://%77&#119;%77.&#103;%6F&#111;%67&#108;%65.&#99;%6F&#109;/">Google</A>

BODY		7	CONTAINS	%&#
BODY		7	CONTAINS	%@&#
BODY		7	CONTAINS	;@%
BODY		7	CONTAINS	%:&#
BODY		7	CONTAINS	;:%
BODY		7	CONTAINS	%.&#
BODY		7	CONTAINS	;.%


# Hexadecimal IP Obfuscation
# This technique is used to obfuscate IP addresses.  The filter will only match a hexadecimal
# number found immediately following one of three possible HTTP address components.  Commented
# out due to a lack of current use in spam.
#
# Example:
# http://0xd8.0xef.0x25.0x64/

#BODY		7	CONTAINS	http://0x0
#BODY		7	CONTAINS	http://0x1
#BODY		7	CONTAINS	http://0x2
#BODY		7	CONTAINS	http://0x3
#BODY		7	CONTAINS	http://0x4
#BODY		7	CONTAINS	http://0x5
#BODY		7	CONTAINS	http://0x6
#BODY		7	CONTAINS	http://0x7
#BODY		7	CONTAINS	http://0x8
#BODY		7	CONTAINS	http://0x9
#BODY		7	CONTAINS	http://0xa
#BODY		7	CONTAINS	http://0xb
#BODY		7	CONTAINS	http://0xc
#BODY		7	CONTAINS	http://0xd
#BODY		7	CONTAINS	http://0xe
#BODY		7	CONTAINS	http://0xf
#BODY		7	CONTAINS	@0x0
#BODY		7	CONTAINS	@0x1
#BODY		7	CONTAINS	@0x2
#BODY		7	CONTAINS	@0x3
#BODY		7	CONTAINS	@0x4
#BODY		7	CONTAINS	@0x5
#BODY		7	CONTAINS	@0x6
#BODY		7	CONTAINS	@0x7
#BODY		7	CONTAINS	@0x8
#BODY		7	CONTAINS	@0x9
#BODY		7	CONTAINS	@0xa
#BODY		7	CONTAINS	@0xb
#BODY		7	CONTAINS	@0xc
#BODY		7	CONTAINS	@0xd
#BODY		7	CONTAINS	@0xe
#BODY		7	CONTAINS	@0xf
#BODY		7	CONTAINS	:0x0
#BODY		7	CONTAINS	:0x1
#BODY		7	CONTAINS	:0x2
#BODY		7	CONTAINS	:0x3
#BODY		7	CONTAINS	:0x4
#BODY		7	CONTAINS	:0x5
#BODY		7	CONTAINS	:0x6
#BODY		7	CONTAINS	:0x7
#BODY		7	CONTAINS	:0x8
#BODY		7	CONTAINS	:0x9
#BODY		7	CONTAINS	:0xa
#BODY		7	CONTAINS	:0xb
#BODY		7	CONTAINS	:0xc
#BODY		7	CONTAINS	:0xd
#BODY		7	CONTAINS	:0xe
#BODY		7	CONTAINS	:0xf
#BODY		7	CONTAINS	.0x0
#BODY		7	CONTAINS	.0x1
#BODY		7	CONTAINS	.0x2
#BODY		7	CONTAINS	.0x3
#BODY		7	CONTAINS	.0x4
#BODY		7	CONTAINS	.0x5
#BODY		7	CONTAINS	.0x6
#BODY		7	CONTAINS	.0x7
#BODY		7	CONTAINS	.0x8
#BODY		7	CONTAINS	.0x9
#BODY		7	CONTAINS	.0xa
#BODY		7	CONTAINS	.0xb
#BODY		7	CONTAINS	.0xc
#BODY		7	CONTAINS	.0xd
#BODY		7	CONTAINS	.0xe
#BODY		7	CONTAINS	.0xf


# Octal IP Obfuscation:
# This technique is used to obfuscate IP addresses.  Due to the possibility of false positives,
# the filter will only match an HTTP address component followed by two zeros which indicates a
# high probability of an octal number, though only one zero is required for proper encoding.  
# Commented out due to a lack of current use in spam.
#
# Example:
# http://0330.000357.0063.00000144/

#BODY		7	CONTAINS	http://00
#BODY		7	CONTAINS	@00