URL rule creation question
Hi all, I've seen this pattern in spam quite a bit lately: href=http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69 .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66. 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO Would it be reasonable to create a rule that looks for this two-char then dot pattern, or is it reasonable that it might appear in a legitimate email too frequently? If possible, how would you create a rule to capture this? Thanks, Alex
Re: URL rule creation question
MySQL Student wrote:
Hi all,
I've seen this pattern in spam quite a bit lately:
snip - URI that verizon won't let me send
Would it be reasonable to create a rule that looks for this two-char
then dot pattern, or is it reasonable that it might appear in a
legitimate email too frequently? If possible, how would you create a
rule to capture this?
This rule should detect 10 consecutive occurrences.
uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10}
I do think that 4-in-a-row might be pretty common (ie: IP addresses),
but 10 in a row seems unlikely.
Warning: I wrote this quickly without too much thought. It may have
bugs, but I'm short on time at the moment.
Re: URL rule creation question
On Thu, 2009-09-10 at 18:28 -0400, MySQL Student wrote:
Hi all,
I've seen this pattern in spam quite a bit lately:
href=http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69
.61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66.
62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO
Would it be reasonable to create a rule that looks for this two-char
then dot pattern, or is it reasonable that it might appear in a
legitimate email too frequently? If possible, how would you create a
rule to capture this?
uri URI_HEX_DOTTED /(?:[[:xdigit:]]{2}\.){10}/
That would look for 10 two-digit hex numbers separated by periods in a
url. Figure if you have at least 10 of them, its probably a match...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
JMF whitelist and RAZOR conflict
Hi, I have several emails that are tagged with RCVD_IN_JMF_W, SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: http://pastebin.com/m4a4d990e Is the criteria for being listed on the JMF_W simply that it contains a domain that is whitelisted, despite whether it contains another URL that is blacklisted? Would I be advised to make the JMF_W score very low, or create a meta that doesn't really whitelist it unless it isn't also blacklisted? meta META_NOT_JMF_RAZOR(RCVD_IN_JMF_W !RAZOR2_CHECK) It also appears to spoof the kraftfoods.com mail server, correct? Is there a possible rule to be created here? Thanks, Alex
Re: JMF whitelist and RAZOR conflict
On Thu, 10 Sep 2009 19:21:16 -0400 MySQL Student mysqlstud...@gmail.com wrote: Hi, I have several emails that are tagged with RCVD_IN_JMF_W, SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: http://pastebin.com/m4a4d990e Is the criteria for being listed on the JMF_W simply that it contains a domain that is whitelisted, despite whether it contains another URL that is blacklisted? I'm not sure what you are saying here, it's not as if the people running the whitelist could lookup the IP address on razor. Would I be advised to make the JMF_W score very low, or create a meta that doesn't really whitelist it unless it isn't also blacklisted? meta META_NOT_JMF_RAZOR(RCVD_IN_JMF_W !RAZOR2_CHECK) Why RAZOR2_CHECK? Why not other positive scoring rules? The trouble is that the whitelist rule is then pointless. Set it's score at a value that's commensurate with it's effectiveness on your email. It might be sensible to make metarules for RCVD_IN_DNSWL_* and RCVD_IN_JMF_W, if you are going to use both. It also appears to spoof the kraftfoods.com mail server, correct? Is there a possible rule to be created here? No, it was almost certainly sent through kraftfoods.com. It's based on an IP address recorded by your trusted network.
Re: JMF whitelist and RAZOR conflict
Hi, http://pastebin.com/m4a4d990e Is the criteria for being listed on the JMF_W simply that it contains a domain that is whitelisted, despite whether it contains another URL that is blacklisted? I'm not sure what you are saying here, it's not as if the people running the whitelist could lookup the IP address on razor. I'm saying that it appears odd that it would be listed on both RAZOR and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR rules found the bogus http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com is a legitimate kraftfoods site? meta META_NOT_JMF_RAZOR (RCVD_IN_JMF_W !RAZOR2_CHECK) Why RAZOR2_CHECK? Why not other positive scoring rules? The trouble is that the whitelist rule is then pointless. Set it's score at a value that's commensurate with it's effectiveness on your email. Does my question now make sense? I was looking at it from more of a validation point of view for JMF_W, because of the apparent conflict with RAZOR. It also appears to spoof the kraftfoods.com mail server, correct? Is there a possible rule to be created here? No, it was almost certainly sent through kraftfoods.com. It's based on an IP address recorded by your trusted network. Maybe I should have used a better example. Can I ask you to look at this one? http://pastebin.com/m7d61b26f This uses IP 66.132.135.108 as its URL (xybersleuth.com), and unless that's not a spammer's site, then there's something wrong. This email includes JMF_W and RAZOR2_CF_RANGE_51_100 and URIBL_BLACK in the same message, although it has a very low bayes score. Which is correct? Thanks, Alex
RE: URL rule creation question
From: Matt Kettler [mailto:mkettler...@verizon.net]
This rule should detect 10 consecutive occurrences.
uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10}
Warning: I wrote this quickly without too much thought. It may have
bugs, but I'm short on time at the moment.
your variant would require two periods in a row between each pair.
Re: JMF whitelist and RAZOR conflict
On Thu, 10 Sep 2009 21:23:11 -0400 MySQL Student mysqlstud...@gmail.com wrote: Hi, http://pastebin.com/m4a4d990e Is the criteria for being listed on the JMF_W simply that it contains a domain that is whitelisted, despite whether it contains another URL that is blacklisted? I'm not sure what you are saying here, it's not as if the people running the whitelist could lookup the IP address on razor. I'm saying that it appears odd that it would be listed on both RAZOR and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR rules found the bogus http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com is a legitimate kraftfoods site? Razor looks-up fuzzy hashes of an email on a server that records the values that have previously been reported for spam. JMF_W is based on the IP address of the last hop into your trusted network (or internal if you set it up that way). Neither is based on URLs. DNS whitelists are hard to spoof. Both examples involve exchange server, perhaps a spammer is exploiting a Windows or exchange vulnerability.
