Re: 10_MBL.cf
> On 16 Sep 2014, at 12:13 , Axb wrote: > > On 09/16/2014 06:57 PM, jcb wrote: >> For the last few days, I have noticed that I have been getting this >> update, and it is about 12mb long. When it automatically updates, it >> manages to hang spamassassin, thereby stopping amavisd from processing. >> Any Ideas? I am temporarily deleting this, till something is found. > > MBL has a history of borked ClamAV signatures exploding .cf files > > The idea of creating HUGE static files for URIs is reminds be of the times > when Bill Stearns and Chris Santerre did something like it named BigEvil.cf , > before the SpamcopURI plugin and SURBL showed up... when was that? 2002? > 2003? Oh wow, I remember BigEvil. It must have been around there. Yeah, 2003 sounds right. -- When and where does this "real world" occur?!
Re: 10_MBL.cf
On 09/16/2014 10:17 PM, Jason Haar wrote: On 17/09/14 06:13, Axb wrote: MBL has a history of borked ClamAV signatures exploding .cf files The idea of creating HUGE static files for URIs is reminds be of the times when Bill Stearns and Chris Santerre did something like it named BigEvil.cf , before the SpamcopURI plugin and SURBL showed up... when was that? 2002? 2003? The problem they face is that SURBL checks only work on domains - not the "deep" URLs that contain malware/etc. So they are left with SA regex. But you are correct - I gave it a test run and it totally nails spamd It's still a good concept. Perhaps what we need is a URL RBL - maybe lowercase-and-base64 dodgy URLs and then make a RBL that points to them? All URI BLs make huge efforts to detect domain abuse in Phish and they do pretty. What's missed can be detected with autogenerate body rules (as the SOUGHT fraud). Sadly these rules are not being updated and although there's a new autogenerated rule set in the works, stuff gets delayed (volunteer efforts have limit) Listing the full URL is not as simple as it looks unless you use safe & expensive hashing methods and but still depend on fast mirror syncs, need a highly redundant BL mirrosr, etc. iXhash also does pretty good for a lot of this stuff. As always, you need an arsenal - one of the weapons will tag them.
Re: 10_MBL.cf
On 17/09/14 06:13, Axb wrote: > MBL has a history of borked ClamAV signatures exploding .cf files > > The idea of creating HUGE static files for URIs is reminds be of the > times when Bill Stearns and Chris Santerre did something like it named > BigEvil.cf , before the SpamcopURI plugin and SURBL showed up... when > was that? 2002? 2003? > The problem they face is that SURBL checks only work on domains - not the "deep" URLs that contain malware/etc. So they are left with SA regex. But you are correct - I gave it a test run and it totally nails spamd It's still a good concept. Perhaps what we need is a URL RBL - maybe lowercase-and-base64 dodgy URLs and then make a RBL that points to them? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: 10_MBL.cf
On 09/16/2014 06:57 PM, jcb wrote: For the last few days, I have noticed that I have been getting this update, and it is about 12mb long. When it automatically updates, it manages to hang spamassassin, thereby stopping amavisd from processing. Any Ideas? I am temporarily deleting this, till something is found. MBL has a history of borked ClamAV signatures exploding .cf files The idea of creating HUGE static files for URIs is reminds be of the times when Bill Stearns and Chris Santerre did something like it named BigEvil.cf , before the SpamcopURI plugin and SURBL showed up... when was that? 2002? 2003? One used to list URIs manually.. on a box named spamgate...
Re: 10_MBL.cf
On Tue, 16 Sep 2014, jcb wrote: On 9/16/2014 1:08 PM, John Hardin wrote: On Tue, 16 Sep 2014, Kevin A. McGrail wrote: > On 9/16/2014 12:57 PM, jcb wrote: > > For the last few days, I have noticed that I have been getting > > this update, and it is about 12mb long. When it automatically > > updates, it manages to hang spamassassin, thereby stopping amavisd > > from processing. Thanks to you both for the very rapid response. It was from a 3rd party update path. I am running a get from MalwarePatrol, and it is the one that is doing the update, and creating that file. I assume you're going to stop updating from that... :) You should let them know that their current release is killing SA / amavisd. I'm sure that isn't their intent. This might be a temporary mistake. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When I say "I don't want the government to do X", do not automatically assume that means I don't want X to happen. --- Tomorrow: the 227th anniversary of the signing of the U.S. Constitution
Re: 10_MBL.cf
On 9/16/2014 1:19 PM, jcb wrote: On 9/16/2014 1:08 PM, John Hardin wrote: On Tue, 16 Sep 2014, Kevin A. McGrail wrote: On 9/16/2014 12:57 PM, jcb wrote: For the last few days, I have noticed that I have been getting this update, and it is about 12mb long. When it automatically updates, it manages to hang spamassassin, thereby stopping amavisd from processing. Any Ideas? I am temporarily deleting this, till something is found. No idea what that file is. Check you sa-update and cron installations. Especially: check whether you're updating from any third-party repositories. Thanks to you both for the very rapid response. It was from a 3rd party update path. I am running a get from MalwarePatrol, and it is the one that is doing the update, and creating that file. Thanks again John This is the top of the file, it goes on for 294,503 lines # #Malware Patrol - Block List - https://www.malwarepatrol.net # List for Spam Assassin # Generated at: 20140913005412 UTC # # Please do not update this list more often than every hour. # # Copyright (c) 2014 - Andre Correa - Malware Patrol - Malware Block List # This information is provided as-is and under the Terms and Conditions # available in the following address: # # https://www.malwarepatrol.net/terms.shtml # # Using this information indicates your agreement to be bound by these # terms. If you do not accept them, please delete this file immediately. # # You can report false positives or broken rules/signatures to: # fp (a t) malwarepatrol.net # # Kn2su6fOsZ5fnhesG2hPPMDDDX3LYM3y # body MBL_7865 /ghusthir\.no\.sapo\.pt\//i describe MBL_7865 MBL: https://www.malwarepatrol.net/cgi/search.pl?id=7865 score MBL_7865 3.5 body MBL_22137 /66\.39\.4\.207\/graph\//i describe MBL_22137 MBL: https://www.malwarepatrol.net/cgi/search.pl?id=22137 score MBL_221373.5
Re: 10_MBL.cf
On Tue, 16 Sep 2014, Kevin A. McGrail wrote: On 9/16/2014 12:57 PM, jcb wrote: For the last few days, I have noticed that I have been getting this update, and it is about 12mb long. When it automatically updates, it manages to hang spamassassin, thereby stopping amavisd from processing. Any Ideas? I am temporarily deleting this, till something is found. No idea what that file is. Check you sa-update and cron installations. Especially: check whether you're updating from any third-party repositories. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When I say "I don't want the government to do X", do not automatically assume that means I don't want X to happen. --- Tomorrow: the 227th anniversary of the signing of the U.S. Constitution
Re: 10_MBL.cf
On 9/16/2014 12:57 PM, jcb wrote: For the last few days, I have noticed that I have been getting this update, and it is about 12mb long. When it automatically updates, it manages to hang spamassassin, thereby stopping amavisd from processing. Any Ideas? I am temporarily deleting this, till something is found. No idea what that file is. Check you sa-update and cron installations.
10_MBL.cf
For the last few days, I have noticed that I have been getting this update, and it is about 12mb long. When it automatically updates, it manages to hang spamassassin, thereby stopping amavisd from processing. Any Ideas? I am temporarily deleting this, till something is found.
