Re: [Assp-user] Obfuscated URIs
Hmm, it works for me. If somebody could (dis)confirm: It is catched by Bayesian )))(((. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Obfuscated URIs
Hmm, it works for me. If somebody could (dis)confirm:
It is catched by Bayesian )))(((.
OK, my previous patch lied a little ;-)
change:
if ($uri=~/(?:[^\s\/[EMAIL PROTECTED]@)?([0-9a-z\-\_\.]+)/i) {
to:
if ($uri=~/(?:[^\s\/[EMAIL PROTECTED]@)?($URICharRe+)/i) {
P.
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Obfuscated URIs
Questions and Answers for users of ASSP Anti-Spam SMTP Proxy
assp-user@lists.sourceforge.net schreibt:
shold be:
if ($uri=~/(?:[^\s\/[EMAIL PROTECTED]@)?($URICharRe+)/io) {
success:
Jan-28-07 14:39:39 193.99.144.71 [EMAIL PROTECTED] to:
[EMAIL PROTECTED] failed URIBL checks (obfuscated uri)
heisec_Emailcheck_Links_eejmzbo_ - ./spam/6587.eml
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Obfuscated URIs
by Fritz Borgstedt Jan 29, 2007; 12:46am :: Rate this Message
shold be:
if ($uri=~/(?:[^\s\/[EMAIL PROTECTED]@)?($URICharRe+)/io) {
success:
Jan-28-07 14:39:39 193.99.144.71 [EMAIL PROTECTED] to:
[EMAIL PROTECTED] failed URIBL checks (obfuscated uri)
heisec_Emailcheck_Links_eejmzbo_ - ./spam/6587.eml
Ahhh, watching talent at work, nothing like it
Great work, you two !
:-) N
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Obfuscated URIs
From: William Stucke [EMAIL PROTECTED] When enabled, messages with obfuscated URIs of types [integer/octal/hex IP, other things!] in the body will receive URIBLPolicyError SMTP error code. Fair call, but I was rather more interested in the list of what the 'other things!' might be. ;-) Nick - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Obfuscated URIs
Questions and Answers for users of ASSP Anti-Spam SMTP Proxy assp-user@lists.sourceforge.net schreibt: Fair call, but I was rather more interested in the list of what the 'other things!' might be. You are surely joking but... it is Open Source, you can read it. fritz - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Obfuscated URIs
Maybe it doesn't work at all (including up to 1.2.7.1 (68). I have never
actually had a hit on this function, but I may just have been lucky.
The check in its current form secures against
http://www.pc-help.org/obscure.htm
types of obfuscation.
Some of the examples in this test are just mis-labelled links,
but for example I was at least expecting to not pass the hex encoded and
http://username (at) site types.
Mis-labelled links are obviously outside of the scope.
http://username (at) site types ... maybe?
But I agree on hex encoded URIs. Here's a quick patch:
(not thoroughly tested!)
Step 1.
Change a line:
$URICharRe='(?:[=%][0-9a-f]{2}|\#\\d{1,3};?|[EMAIL
PROTECTED]|\=(?:\015?\012|\015))';
with this one line (probably wrapped):
$URICharRe='(?:\=(?:\015?\012|\015)|[=%][0-9a-f]{2}|\#\\d{1,3};?|[0-9a-z\-\_\.\~\!\*\'\(\)\;\:[EMAIL
PROTECTED]\=\+\$\,\?\%\#\[\]])';
Step 2.
Change this code block:
# RFC 2821, section 4.5.2, 'Transparency': delete leading period char
$uri=~s/\=(?:\015?\012|\015)\.?//g;
$uri=~s/[=%]([0-9a-f]{2})/chr(hex($1))/gie;
$uri=~s/#(\d{1,3});?/chr($1)/ge;
$uri=~tr/;//d;
if ($uri=~/(?:[^\s\/[EMAIL PROTECTED]@)?([0-9a-z\-\_\.]+)/i) {
$orig_uri=$uri=$1;
$uri=~s/\.{2,}/\./g;
$uri=~s/^\.//;
$uri=~s/\.$//;
if ($uri=~/^$IPQuadRE$/io) {
with:
# RFC 2821, section 4.5.2, 'Transparency': delete leading period char
$uri=~s/\=(?:\015?\012|\015)\.?//g;
# decode 'at' character
$uri=~s/[=%]40/@/g;
$uri=~s/#0?64;?/@/g;
if ($uri=~/(?:[^\s\/[EMAIL PROTECTED]@)?([0-9a-z\-\_\.]+)/i) {
$orig_uri=$uri=$1;
$uri=~s/[=%]([0-9a-f]{2})/chr(hex($1))/gie;
$uri=~s/#(\d{1,3});?/chr($1)/ge;
$uri=~tr/;//d;
$uri=~s/\.{2,}/\./g;
$uri=~s/^\.//;
$uri=~s/\.$//;
if ($uri=~/^$IPQuadRE$/io) {
However I'll take that as a 'not gonna tell', and will leave it be.
:-) Nick
I hope I didn't say too much :-)
Przemek
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
[Assp-user] Obfuscated URIs
Regarding Disallow Obfuscated URIs I have noticed that this function does not block all types of obfuscated URIs. While my perl is not quite good enough to get right to the bottom of it, may I suggest that the description text outline briefly what types the check does cover. Eg currently, When enabled messages with obfuscated uri's in the body will receive URIBLPolicyError SMTP error code. To When enabled messages with obfuscated uri's of types [integer/octal/hex ip, other things!] in the body will receive URIBLPolicyError SMTP error code. Regards, Nick - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
Re: [Assp-user] Obfuscated URIs
Regarding Disallow Obfuscated URIs I have noticed that this function does not block all types of obfuscated URIs. Please post a real-world example of such URIs. While my perl is not quite good enough to get right to the bottom of it, may I suggest that the description text outline briefly what types the check does cover. Hmm ... to give a hint for a spammers? ;-) - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
