There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent. They all have a / followed by some kind of home-grown
obfuscation which his server recognizes:
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
This problem was posted to the list a few weeks back. This regex seems to
work well for that. It is in the latest FILTER-SPAM.
(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40})
http://|www).+/.(com|info|net)/%5ba-f0-9%5d%7b30,40%7d)
From: supp...@declude.com
Hi,
I may be barking up the wrong tree. But since the following email only had a
single IP v4 hop to our Imail, I can't see how this could possibly be caught
by spamrouting - unless there is some confusion on how to treat the IP v6
address address:
Received: from SDKENG01.dkeng.co.uk
Post a few of his/her base domains - just to be sure we will be taking
about the same guy..
Thanks
-Nick
MadRiverAccess.com|Skywaves.com Tech Support
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support
Here is another one:
gseo35.pennyonello.info/132694139742636427312a49fad18963925fb
I've deleted all the previous and hopefully won't get any more after
implmenting the filter David sent.
I would still like to be able to block URIs by the DNS server or Registrar
used. There may be some
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1
cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
_
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Provided the prefix to these is either www or http:// the regex will trigger
on these
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Hi David,
I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120
ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though
We have been wacking the guy w/sniffer General and dnsbl tests. I
Does the source have a space or different character after the end of the
string ? we could look for a space. or a or
(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[]))
David
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday,
Would checking for the DOT, followed by one or more characters, at the end
of the long string serve to eliminate the false positives?
_
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, October 18, 2010 10:57 AM
To:
Dunno - I just grepped my logs to find the FP. You will have to get some
complete examples to test on. Maybe do a COPYTO on any emails that fail your
regex and then fine tune out the false positives.
-Nick
MadRiverAccess.com|Skywaves.com Tech Support
US/Canada 877-873-6482 or International
11 matches
Mail list logo