On Mon, 2009-08-03 at 11:25 +0100, Steve Freegard wrote:
> Karsten Bräckelmann wrote:
> I've had it running on a production box for the last couple of days and
> have been capturing any messages that hit the HAS_ANY_OBFU_URI rule.
>
> This box *was* getting loads of obfu'd URI messages (I capture messages
> from certain ISP dynamic ranges that have massive bot infestations in my
> MTA and feed them to Bayes automatically); but when I checked the traps
> over the weekend - I didn't see a single message containing obfu's URIs.
> So it appears that that this particular campaign has gone quiet for the
> time being.
I noticed this myself -- on a few, entirely unrelated accounts. Have
seen the last one of these obfuscated URIs on Sat. Since Sun, I've been
getting the very same URIs in the "bad, good" doodles style with per-
image manipulation. Coincidence?
Anyway, this plugin is here to stay! I was aware this will cease off
sooner or later again, and said so on the list. My main intention was
and is, to extract the de-obfuscated URIs, and have URI DNSBLs properly
hit them.
Some words on the history: We've all seen obfuscated URIs before,
multiple times. Especially the (dot) was not new and to be expected
early during this last run.
Ever since (quite a long time ago) some German spammer sent out
obfuscated URIs advertising porn sites with catchy, under-age hints in
the name, I wanted to hack such a plugin.
Even if the end-result of the availability of GUDO eventually means the
end of URI obfuscation, I'm not unhappy and the plugin successfully
accomplished its mission. Even better, if the URI is out there in the
clear, less processing.
The main intention is to *close* that loophole that obfuscation is.
This set of plugins can handle other styles of de-obfuscation and
counter-measures, too. Hardly documented, but that's intentional. For
now. ;)
guenther
> However I did have a few obfu messages saved and running them through
> GUDO with the example settings from the perldoc captured them nicely.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
