Re: New spam / phishing rule?
On Nov 7, 2014, at 10:03 AM, Benny Pedersen m...@junc.eu wrote: What mua clients shows invalid mimetypes ? Most all of them. -- He'd never asked for an exciting life. What he really liked, what he sought on every occasion, was boredom. The trouble was that boredom tended to explode in your face. Just when he thought he'd found it he'd be suddenly involved in what he supposed other people - thoughtless, feckless people - would call an adventure. And he'd be forced to visit many strange lands and meet exotic and colourful people, although not for very long because usually he'd be running. He'd seen the creation of the universe, although not from a good seat, and had visited Hell and the afterlife. He'd been captured, imprisoned, rescued, lost and marooned. Sometimes it had all happened on the same day.
Re: New spam / phishing rule?
Am 09.11.2014 um 00:51 schrieb LuKreme: On Nov 7, 2014, at 10:03 AM, Benny Pedersen m...@junc.eu wrote: What mua clients shows invalid mimetypes ? Most all of them thank you for your fortune footer in the name of everybody trying to train ham messages for bayes.. what is that garbage worth for? __ He'd never asked for an exciting life. What he really liked, what he sought on every occasion, was boredom. The trouble was that boredom tended to explode in your face. Just when he thought he'd found it he'd be suddenly involved in what he supposed other people - thoughtless, feckless people - would call an adventure. And he'd be forced to visit many strange lands and meet exotic and colourful people, although not for very long because usually he'd be running. He'd seen the creation of the universe, although not from a good seat, and had visited Hell and the afterlife. He'd been captured, imprisoned, rescued, lost and marooned. Sometimes it had all happened on the same day. signature.asc Description: OpenPGP digital signature
Re: New spam / phishing rule?
On 11/8/14, 5:57 PM, Reindl Harald h.rei...@thelounge.net wrote: what is that garbage worth for? It's from a book by Terry Pratchett. Are we really so hard up for things to talk about that we're going to have a .sig flamewar now? -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com Programming: The profession of progressing from WTF? to Oh, duh.
Re: New spam / phishing rule?
Am 09.11.2014 um 01:48 schrieb Dave Pooser: On 11/8/14, 5:57 PM, Reindl Harald h.rei...@thelounge.net wrote: what is that garbage worth for? It's from a book by Terry Pratchett. Are we really so hard up for things to talk about that we're going to have a .sig flamewar now? it's not a matter of hard it's a matter of sending 1 line followed by 10 or more garbage signature.asc Description: OpenPGP digital signature
Re: New spam / phishing rule?
On Sun, 9 Nov 2014, Reindl Harald wrote: Am 09.11.2014 um 01:48 schrieb Dave Pooser: On 11/8/14, 5:57 PM, Reindl Harald h.rei...@thelounge.net wrote: what is that garbage worth for? It's from a book by Terry Pratchett. Are we really so hard up for things to talk about that we're going to have a .sig flamewar now? it's not a matter of hard it's a matter of sending 1 line followed by 10 or more garbage Yep. .sig flamewar. Sigh. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Activist: Someone who gets involved. Unregistered Lobbyist: Someone who gets involved with something the MSM doesn't approve of. -- WizardPC --- 3 days until Veterans Day
Re: New spam / phishing rule?
On Nov 8, 2014, at 5:54 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 09.11.2014 um 01:48 schrieb Dave Pooser: On 11/8/14, 5:57 PM, Reindl Harald h.rei...@thelounge.net wrote: what is that garbage worth for? It's from a book by Terry Pratchett. Are we really so hard up for things to talk about that we're going to have a .sig flamewar now? it's not a matter of hard it's a matter of sending 1 line followed by 10 or more garbage Feel free to bin/killfile/spam-tag my my posts. Makes less than no difference to me. That would be far more effective than complaining about it. -- 'It's a lovely morning, lads,' he said. 'I feel like a million dollars. Don't you?' There was a murmur of reluctant agreement. 'Good,' said Cohen. 'Let's go and get some.' --Interesting Times
Re: New spam / phishing rule?
On November 9, 2014 2:12:16 AM John Hardin jhar...@impsec.org wrote: Yep. .sig flamewar. Sigh. Thats why i use no sig at all, please dont copy me :)
Re: New spam / phishing rule?
On 11/07/2014 05:41 PM, David F. Skoll wrote: Hi, I've seen a couple of hundred phishing emails come in that all had an attachment of type application/html which is (of course) bogus. I've put in a rule to block these and will see how it goes. I've put an example up at http://pastebin.com/M3dRp4dD with only slight editing to hide the actual recipient's name. commiting a mimeheader rule to my sandbox...
Re: New spam / phishing rule?
On November 7, 2014 5:41:30 PM David F. Skoll d...@roaringpenguin.com wrote: I've seen a couple of hundred phishing emails come in that all had an attachment of type application/html which is (of course) bogus. What mua clients shows invalid mimetypes ?
MUAs and invalid MIME type handling (was Re: New spam / phishing rule?)
On Fri, 07 Nov 2014 18:03:32 +0100 Benny Pedersen m...@junc.eu wrote: What mua clients shows invalid mimetypes ? Microsoft, thank you... if the attachment name ends in .htm or .html it is treated as HTML regardless of MIME type. Actually, most MUAs do this. There are an unbelievable number of MIME generators that attach everything (PDFs, spreadsheets, whatever) as application/octet-stream so MUAs are forced to guess the real MIME type based on the filename or based on sniffing the content. :( The current state of email sucks, in case nobody's noticed. Regards, David.
Re: MUAs and invalid MIME type handling (was Re: New spam / phishing rule?)
On November 7, 2014 6:06:40 PM David F. Skoll d...@roaringpenguin.com wrote: What mua clients shows invalid mimetypes ? Microsoft, thank you... if the attachment name ends in .htm or .html it is treated as HTML regardless of MIME type. Microsoft could fix this in a monthly bugfix update for dangerous software fix :) Actually, most MUAs do this. There are an unbelievable number of MIME generators that attach everything (PDFs, spreadsheets, whatever) as application/octet-stream so MUAs are forced to guess the real MIME type based on the filename or based on sniffing the content. :( I think i will submit this as my first mime signature to clamav and hopefull get it signed with clamav team as a good signature, so clients stop using badly writed software The current state of email sucks, in case nobody's noticed. I have, currently i think there is a bug in libspf2 1.2.10, used here in opendmarc 1.3.0, problem i see is that pypolicyd-spf does not agre with same results as libspf2, hmm And its weekend here :)
Re: New spam rule for specific content
Amir 'CG' Caspi wrote: My main feeling is that if anyone is sending HTML email with LOTS of stuff commented out, that email is almost certainly spam. Ham HTML email would probably be done with more care. *snigger* Take a look at the raw source from a message sent with Outlook (especially one with stationery) and say that again... I've had to heavily alter or outright discard a number of otherwise useful rules along the lines discussed in this thread due to Outlook FPs. -kgd
Re: New spam rule for specific content
On Mon, 12 Aug 2013, Kris Deugau wrote: Amir 'CG' Caspi wrote: My main feeling is that if anyone is sending HTML email with LOTS of stuff commented out, that email is almost certainly spam. Ham HTML email would probably be done with more care. *snigger* Take a look at the raw source from a message sent with Outlook (especially one with stationery) and say that again... I've had to heavily alter or outright discard a number of otherwise useful rules along the lines discussed in this thread due to Outlook FPs. This was my worry, too. In a word: Microsoft -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 3 days until the 68th anniversary of the end of World War II
Re: New spam rule for specific content
At 1:41 PM -0600 08/10/2013, Amir 'CG' Caspi wrote:
(The HTML comment gibberish rule would be a big step here, since
that's one of the few things that would distinguish this from ham...
unlikely that a real person would embed tens of KB of comment
gibberish.)
OK, I'm trying to test an HTML comment gibberish rule and having some
problems. I'm using the following test spam, the same I showed
before:
http://pastebin.com/VCtvzjzV
I'm testing the following rule:
# HTML comment gibberish
rawbody HTML_COMMENT_GIBBERISH /!--\s*(?:[\w'?.:;-]+\s+){100,}\s*--/im
tflags HTML_COMMENT_GIBBERISH multiple
describe HTML_COMMENT_GIBBERISH lots of spammy text in HTML comment
score HTML_COMMENT_GIBBERISH0.001
Now, when I run this test spam through SA, I do get a hit, but only a
single hit... the rule is popping for the final HTML comment (the one
beginning with Simpsons). However, there are two other HTML
comments in this email, prior to the one that hit... for some reason,
they are not hitting, even though I've set tflags=multiple. (I was
considering having a meta rule that scored extra for multiple
comments.)
My regex is valid and appropriate for those comments... I tested it
at regexpal.com, which shows that all three comments match just fine
(all three get highlighted).
So... why is SA hitting only on the final comment, and ignoring the
first two? (I tried using a meta rule that popped if this hit more
than once, and that meta rule did not pop. SA debug output shows
only this one comment hitting, not the other two.) If my regex is
fine and I've got tflags=multiple, what's preventing the other
comments from hitting?
Thanks.
--- Amir
Re: New spam rule for specific content
Amir 'CG' Caspi skrev den 2013-08-11 10:22: http://pastebin.com/VCtvzjzV Content analysis details: (10.9 points, 5.0 required) pts rule name description -- -- -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [5.39.218.213 listed in wl.mailspike.net] 0.1 RELAY_NL Relayed through NL 0.5 MSG_ID_INSTAFILE_BIZ spamming instafile.biz in message id 0.5 STARS_ON_FORTY_FIVEURI: contains 5 chars url at end 0.1 STARS_ON_FORTY_FOORURI: contains 4 chars url at end 0.1 HTML_ERROR_TAGS_X_HTML RAW: error x-html not found on w3.org 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.8 LONGWORDS Long string of long words 2.0 MIME_NO_TEXT No (properly identified) text body parts 1.3 SAGREY Adds score to spam from first-time senders i created MSG_ID_INSTAFILE_BIZ and HTML_ERROR_TAGS_X_HTML , but even without this rules its spam
Re: New spam rule for specific content
On Aug 11, 2013, at 9:10 AM, Benny Pedersen m...@junc.eu wrote: i created MSG_ID_INSTAFILE_BIZ and HTML_ERROR_TAGS_X_HTML , but even without this rules its spam It is NOW, it was not when it was originally processed, as you can see from the SA headers included in the pastebin. If you read the messages I sent earlier, the network tests did not all hit because the spam was too young (had not yet been reported to all the services). LONGWORDS also did not hit for some reason, see the second email I sent regarding this (the test seems to not work properly on MIME content). Without these, and because this is an image-based spam that evades Bayes, the message did not pass the spam threshold originally, even though it does now. My question is not whether this is spam. My question is why the new HTML_COMMENT_GIBBERISH rule only got one hit on the third comment when it should have hit all three comments... Thanks. --- Amir
Re: New spam rule for specific content
At 2:22 AM -0600 08/11/2013, Amir 'CG' Caspi wrote: My regex is valid and appropriate for those comments... I tested it at regexpal.com, which shows that all three comments match just fine (all three get highlighted). So... why is SA hitting only on the final comment, and ignoring the first two? Further confusion. Received another of these types of spam today: http://pastebin.com/YywcFkui My new HTML_COMMENT_GIBBERISH rule didn't hit on this one at all. Running the email through regexpal.com shows that the regex _DOES_ hit the comment. Why is this failing in SA even though it works in other environments? Is there something that Perl doesn't like about my regex syntax but that works fine in JavaScript? Whatever is causing this to fail is probably the same thing causing only the single (versus triple) hit on the previous example. Your help in debugging would be greatly appreciated... Thanks! --- Amir
Re: New spam rule for specific content
Hi, Further confusion. Received another of these types of spam today: http://pastebin.com/YywcFkui My new HTML_COMMENT_GIBBERISH rule didn't hit on this one at all. Running Can you post this rule again so we can investigate? How do you find the SPAMMY_URI_PATTERNS rule is performing? It seems very prone to FPs. Why is there no BAYES score? Are you using sqlgrey? If not, it's incredible and you should try it. Regards, Alex
Re: New spam rule for specific content
At 9:31 PM -0400 08/11/2013, Alex wrote:
Can you post this rule again so we can investigate?
# HTML comment gibberish
# Looks for sequence of 100 or more words (alphanum + punct
separated by whitespace) within HTML comment
rawbody HTML_COMMENT_GIBBERISH /!--\s*(?:[\w'?!.:;-]+\s+){100,}\s*--/im
describe HTML_COMMENT_GIBBERISH lots of spammy text in HTML comment
score HTML_COMMENT_GIBBERISH0.001
regexpal says my rule matches the comment. SA doesn't agree.
How do you find the SPAMMY_URI_PATTERNS rule is performing? It seems
very prone to FPs.
It's performing quite well for me... I haven't seen any FPs on it.
The patterns are based on specific spam templates... one looks for
/outl and /outi URIs, the other is /land/ + /unsub/ + /report/ ...
these URIs have to occur in combination. You are correct that it has
the potential for FPs but I haven't seen any so far.
Why is there no BAYES score?
I ran this test through the root account which does not have a Bayes
DB, so there's no Bayes score. There was a Bayes score on the
original email, which was Bayes50 just like every other one of these
types of spams (no real text, just a spammy image which SA isn't
decoding).
Are you using sqlgrey? If not, it's incredible and you should try it.
I have not implemented any sort of greylisting yet. I can't use
sqlgrey because I don't use postfix... my server runs sendmail. I'm
sure there are some good sendmail-compatible greylisters but I
haven't tried them yet... I'm a bit worried about legitimate email
getting bounced. I'm sure I'll get to it in due course, though...
Thanks.
--- Amir
Re: New spam rule for specific content
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote: At 2:22 AM -0600 08/11/2013, Amir 'CG' Caspi wrote: My regex is valid and appropriate for those comments... I tested it at regexpal.com, which shows that all three comments match just fine (all three get highlighted). So... why is SA hitting only on the final comment, and ignoring the first two? Further confusion. Received another of these types of spam today: http://pastebin.com/YywcFkui My new HTML_COMMENT_GIBBERISH rule didn't hit on this one at all. Thanks for the samples, and apologies for the tardy reply. A COMMENT_GIBBERISH rule has been in my sandbox for a while now, but it is not performing well in masscheck. I broadened it a bit per your samples and it hits all of them now. We'll see if this change improves the masscheck performance. I'm also going to make FP-avoidance changes that should also help. Running the email through regexpal.com shows that the regex _DOES_ hit the comment. Why is this failing in SA even though it works in other environments? Is there something that Perl doesn't like about my regex syntax but that works fine in JavaScript? I haven't tested your rule yet, but I have a comment: you are trying a bit too hard. Don't worry about matching all the way to the end of the comment. You don't care about gibberish past the first 100 words. Just make sure that the rule does not match the -- comment-end token, and stop at 100 matched words. Past that it doesn't matter. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 4 days until the 68th anniversary of the end of World War II
Re: New spam rule for specific content
At 6:56 PM -0700 08/11/2013, John Hardin wrote: I'm also going to make FP-avoidance changes that should also help. Care to share? =) Just make sure that the rule does not match the -- comment-end token I tried doing that and it caused SA to hang... couldn't figure out why the regex wasn't working, but for whatever reason, it wasn't. I figured it was easier to just match the entire comment. Is there any particular reason to NOT match the entire comment? That is, does it save resources (CPU, RAM, etc.) to match only partial content? Note that you do want to allow HTML tags within the comment... my rule doesn't actually allow that, but I've seen spams with HTML tags (mostly p and div) in the comments... we don't want to exclude those. Care to post your updated rule? Either way, I would still love to know why my rule isn't hitting on this... Thanks. --- Amir
Re: New spam rule for specific content
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote: At 9:31 PM -0400 08/11/2013, Alex wrote: Are you using sqlgrey? If not, it's incredible and you should try it. I have not implemented any sort of greylisting yet. I can't use sqlgrey because I don't use postfix... my server runs sendmail. I'm sure there are some good sendmail-compatible greylisters but I haven't tried them yet... milter-greylist is what I use, it seems to do the job, and it does reduce the spam volume. I'm a bit worried about legitimate email getting bounced. The only problem would be with a sending MTA that either is badly misconfigured or cannot properly deal with a tempfail result and either bounces the message as undeliverable or (worse) quietly drops it. Sadly there are some major players with this problem who are apparently uninterested in fixing their systems. I suggest you do a bit of research on whitelists for greylisting before implementation. You would also probably want to whitelist known regular correspondents. There's also the need to set your users' expectations. They should be trained that email is *not*, and is not intended to be, instantaneous. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 4 days until the 68th anniversary of the end of World War II
Re: New spam rule for specific content
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote:
At 6:56 PM -0700 08/11/2013, John Hardin wrote:
I'm also going to make FP-avoidance changes that should also help.
Care to share? =)
Everything is publicly visible in my sandbox:
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
The results for the rule set are here:
http://ruleqa.spamassassin.org/detail?rule=%2FCOMMENT_GIBBERISHsrcpath=jhardin
Just make sure that the rule does not match the -- comment-end token
I tried doing that and it caused SA to hang... couldn't figure out why the
regex wasn't working, but for whatever reason, it wasn't.
The unbounded matches you're using probably caused the RE engine to get
stuck backing off and retrying. REs are by default greedy, they try to
match as much as possible.
In general it is a *VERY BAD* idea to use * or + in SA REs; they are
only really safe in rules that process data that is already limited in
size, like uri rules or header rules that look at a specific header. Make
it a habit to use bounded matches, {0,n} rather than * and {1,n} rather
than +. The upper bound of {n} will limit how much the engine will back
off and retry.
Our rules are similar, take a look at what I have in the sandbox.
I figured it was easier to just match the entire comment.
Is there any particular reason to NOT match the entire comment? That
is, does it save resources (CPU, RAM, etc.) to match only partial content?
It does. The less text you match beyond what you need to, the less
processing is performed. Nothing is done with the matched text, so the
extra work done matching all the way to the end of the comment is wasted.
Note that you do want to allow HTML tags within the comment... my rule
doesn't actually allow that, but I've seen spams with HTML tags (mostly p
and div) in the comments... we don't want to exclude those.
Yuck. Can you pastbin spamples, if you still have them?
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Efficiency can magnify good, but it magnifies evil just as well.
So, we should not be surprised to find that modern electronic
communication magnifies stupidity as *efficiently* as it magnifies
intelligence. -- Robert A. Matern
---
4 days until the 68th anniversary of the end of World War II
Re: New spam rule for specific content
At 7:20 PM -0700 08/11/2013, John Hardin wrote: The unbounded matches you're using probably caused the RE engine to get stuck backing off and retrying. That's what I figured. That's why I changed things to the current version, which is bounded by the end-tag of the comment. My current version doesn't take long to run. Yuck. Can you pastbin spamples, if you still have them? Here's one that comes to mind: http://pastebin.com/zVEH2h02 I have a couple of others but they look like they're from the same template, so I don't think it's useful to post. --- Amir
Re: New spam rule for specific content
On Sun, 11 Aug 2013, Amir 'CG' Caspi wrote: At 7:20 PM -0700 08/11/2013, John Hardin wrote: Yuck. Can you pastbin spamples, if you still have them? Here's one that comes to mind: http://pastebin.com/zVEH2h02 That's going to be problematic as the comment isn't gibberish, it's a bunch of properly-formed sentences. However, I may be taking too-conservative a stance here. It's possible that, while HTML comments can appear in ham, *long* HTML comments won't, and the fact that we're looking for long blocks of comment text is enough safety. I'll play around with that sample and see what happens. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- [People] are socialists because they are blinded by envy and ignorance.-- economist Ludwig von Mises (1881-1973) --- 4 days until the 68th anniversary of the end of World War II
Re: New spam rule for specific content
At 8:23 PM -0700 08/11/2013, John Hardin wrote: However, I may be taking too-conservative a stance here. It's possible that, while HTML comments can appear in ham, *long* HTML comments won't, and the fact that we're looking for long blocks of comment text is enough safety. That's why feeling. You'll notice my rule is dumb: it's simply looking for a bunch of stuff in a comment. My main feeling is that if anyone is sending HTML email with LOTS of stuff commented out, that email is almost certainly spam. Ham HTML email would probably be done with more care. Yes, there's the chance for FPs, if some company decides to send a legitimate (ham, opt-in, etc.) HTML email from a badly-written template where the designer was a lazy bum and left giant commented-out sections... but would you really want such an email anyway? ;-) Thanks. --- Amir
Re: New spam rule for specific content
At 10:41 AM -0700 08/09/2013, John Hardin wrote: Can you provide a spample or two? Sure. http://pastebin.com/VfSCB7fw http://pastebin.com/VCtvzjzV Note the outl and outi links near the very bottom. The actual domains used in these URIs vary... they used to be .pw, but recently most have been .biz (though I've also seen some .mobi and I think some .tv and even some .us). Note that both of these hit BAYES_50... and that's pretty common for these spams. For whatever reason, I don't know why, they seem to only hit BAYES_50 and very rarely get higher scores (occasionally they will get lower scores, too). Perhaps it's because most of the spam is actually in the embedded image, rather than in rendered text... These are also great examples of the HTML comment gibberish that pervades all of these spams. If you have time, it would be great if you could adapt your STYLE_GIBBERISH rules to catch HTML comment gibberish. (Presumably, you'd want to make sure the gibberish is sufficiently long, too.) They can be added but unless such spams appear in the masscheck corpora the rules won't be scored and distributed. No idea if they're in the masscheck corpora... but I and my users have been getting them for months. I imagine they're relatively widespread... Thanks. --- Amir
Re: New spam rule for specific content
At 10:41 AM -0700 08/09/2013, John Hardin wrote: Can you provide a spample or two? Looks like a similar spam method has come out in recent weeks (since Jul 30, it seems) that uses slightly different footers... example is here: http://pastebin.com/QCmSPzwG Although running SA on this spam _NOW_ yields a high score beyond the spam threshold, this is almost entirely because additional network tests are now hitting (extra RBLs + Razor). This was not the case when the spam was first processed... looks like I was one of the earlier recipients. For this type, looks like a good match would be on the combo of /land/ + /unsub/ + /report/ ... I have modified my rule from yesterday as follows: # Spammy URI patterns uri __OUTL_URI /\/outl\b/ uri __OUTI_URI /\/outi\b/ uri __LAND_URI /\/land\// uri __UNSUB_URI /\/unsub\// uri __REPORT_URI/\/report\// meta SPAMMY_URI_PATTERNS((__OUTL_URI __OUTI_URI) || (__LAND_URI __UNSUB_URI __REPORT_URI)) describe SPAMMY_URI_PATTERNSlink combos match highly spammy template score SPAMMY_URI_PATTERNS 3 This modification hits both types of templates. I will very likely be adding further spammy patterns to this rule over time. I'll keep the list posted if I find some other good ones. It looks like both this and the previous type of spam are bypassing Bayes by embedding images and using no rendered text. Well, not NO text, but very little, mostly a successful delivery message and the unsub/report links. That is, Bayes sees absolutely no spammy text, just the image which it cannot decode as spammy. Are there any rules which can hit on only embedded images with very little text ?? Not entirely sure how to capture this since it's difficult to determine what is not much text and there is certainly the potential for FPs that way (for example, anyone in the design field sending images to clients without much text, etc.)... But, these types of spams are bypassing SA consistently, to the tune of tens per day per user. I would really love a way to stop them besides hardcoding a rule based on their link syntax, which can be easily changed during the next iteration of their spam template. (The HTML comment gibberish rule would be a big step here, since that's one of the few things that would distinguish this from ham... unlikely that a real person would embed tens of KB of comment gibberish.) Thanks. --- Amir
Re: New spam rule for specific content
On Sat, 10 Aug 2013, Amir 'CG' Caspi wrote: It looks like both this and the previous type of spam are bypassing Bayes by embedding images and using no rendered text. Well, not NO text, but very little, mostly a successful delivery message and the unsub/report links. That is, Bayes sees absolutely no spammy text, just the image which it cannot decode as spammy. Perhaps it's time to bring FuzzyOCR up-to-date...? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The social contract exists so that everyone doesn't have to squat in the dust holding a spear to protect his woman and his meat all day every day. It does not exist so that the government can take your spear, your meat, and your woman because it knows better what to do with them. -- Dagny @ Ace of Spades --- 5 days until the 68th anniversary of the end of World War II
Re: New spam rule for specific content
At 2:17 PM -0700 08/10/2013, John Hardin wrote: Perhaps it's time to bring FuzzyOCR up-to-date...? Is this something I need to manually update or something that needs updating in the SA distribution? Thanks. --- Amir
Re: New spam rule for specific content
On Sat, 10 Aug 2013, Amir 'CG' Caspi wrote: At 2:17 PM -0700 08/10/2013, John Hardin wrote: Perhaps it's time to bring FuzzyOCR up-to-date...? Is this something I need to manually update or something that needs updating in the SA distribution? FuzzyOCR was a SA plugin a few years back. It would pass images through OCR and, IIRC, pull words out of them into the generated body that SA scans. Spammers moved away from putting their spams into images, so it fell out of use, and I don't think it works with the current release of SA. Also, Passing all attached images through OCR is a fairly heavy-weight process. Now spammers seem to be moving back towards image spams, at least to a degree. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...in the 2nd amendment the right to arms clause means you have the right to choose how many arms you want, and the militia clause means that Congress can punish you if the answer is none. -- David Hardy, 2nd Amendment scholar --- 5 days until the 68th anniversary of the end of World War II
Re: New spam rule for specific content
On Fri, 9 Aug 2013, Amir 'CG' Caspi wrote: A number of my users have been receiving spam formatted in a very specific way which seems to very often miss Bayes... Can you provide a spample or two? I recommend this rule be added to the general distribution. They can be added but unless such spams appear in the masscheck corpora the rules won't be scored and distributed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The first time I saw a bagpipe, I thought the player was torturing an octopus. I was amazed they could scream so loudly. -- cat_herder_5263 on Y! SCOX --- 6 days until the 68th anniversary of the end of World War II
Re: New spam rule for specific content
On Fri, 9 Aug 2013 11:19:08 -0600 Amir 'CG' Caspi wrote: A number of my users have been receiving spam formatted in a very specific way which seems to very often miss Bayes... I don't know why, whether it's because of the HTML gibberish flooding Bayes with useless tokens (to reduce the relative strength of the spammy tokens), or if it's just the specific content isn't sufficiently spammy (or has sufficient ham to balance) to pop. BAYES works on rendered text it doesn't see the HTML. (Like many other users here, I've also increased the Bayes scores for Bayes99, and created a Bayes999 with even higher scoring... it might be time to add that to the general distribution, too.) Do you actually get a significant amount of ham between 0.99 and 0.999? Personally I only get 1 in 1000 above 0.55, and nothing above 0.65.
Re: New spam rule for specific content
On Fri, August 9, 2013 1:01 pm, RW wrote: BAYES works on rendered text it doesn't see the HTML. Hmmm. It doesn't see HTML comments, which would appear in rendered HTML source even though they are invisible? OK, in that case, I have NO idea why the spam isn't hitting Bayes, because it looks pretty damn spammy to me. I wonder if it's the heavy use of images, but I don't know. Do you actually get a significant amount of ham between 0.99 and 0.999? Personally I only get 1 in 1000 above 0.55, and nothing above 0.65. Ham, absolutely not. So yes, I suppose I could just treat all Bayes99 as if it were Bayes999 and score it more highly than I do. Right now I have Bayes99 at 4, Bayes999 at 4.5. I could eliminate Bayes999 and make Bayes99 score 4.5... but I do worry a little bit about FPs, even though I guess I shoudn't, statistically speaking. On the other hand, one could consider making Bayes999 a poison pill. Generally spam will only rank there if you've learned something nearly identical to it. At that point, perhaps it might be worth just scoring it with 5 or higher (assuming your threshold is 5, as mine is). --- Amir
Re: [NEW SPAM FLOOD] www.shopXX.net
DS == Dan Schaefer d...@performanceadmin.com writes: DS I'm glad to see this SPAM traffic has come to a halt. At least on my DS mail server... Yes, I haven't seen any of those spams since the morning of the 31st. My servers were rejecting them like mad right up until that point in time (10:30CDT), and then nothing. - J
Re: [NEW SPAM FLOOD] www.shopXX.net
Good morning *, Am 2009-08-04 13:51:24, schrieb Jason L Tibbitts III: DS == Dan Schaefer d...@performanceadmin.com writes: DS I'm glad to see this SPAM traffic has come to a halt. At least on my DS mail server... Yes, I haven't seen any of those spams since the morning of the 31st. My servers were rejecting them like mad right up until that point in time (10:30CDT), and then nothing. I have seen exactly the same, I was hit by more then 200.000 spams per day of this kind and had a relative high CPU load (4) on my five servers Sun Fire X4100M2 and it was more or less gone from one hour to another... Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ c/o Vertriebsp. KabelBW http://www.flexray4linux.org/ Blumenstrasse 2 Jabber linux4miche...@jabber.ccc.de 77694 Kehl/Germany IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
Re: [NEW SPAM FLOOD] www.shopXX.net
I'm glad to see this SPAM traffic has come to a halt. At least on my mail server... -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Hi Dan and *, Am 2009-08-04 14:37:46, schrieb Dan Schaefer: I'm glad to see this SPAM traffic has come to a halt. At least on my mail server... They have seen, the out spamassassin is working verry efficient. I get only one or two spams per day... which are catched by SA of course. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ c/o Vertriebsp. KabelBW http://www.flexray4linux.org/ Blumenstrasse 2 Jabber linux4miche...@jabber.ccc.de 77694 Kehl/Germany IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
Re: [NEW SPAM FLOOD] www.shopXX.net
On Thu, 2009-07-23 at 07:34 +0100, rich...@buzzhost.co.uk wrote:
It's catching on :-)
this new obfuscation is already caught by AE_MED45, but I can foresee a
variant that might not match...
How about:
body__MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{0,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)[[:punct:]]?\b/i
body__MED_NOT_OB/\bw{2,3}\.[[:alpha:]]{0,6}\d{2,6}\.(?:com|net|org)\b/i
metaAE_MED46(__MED_OB ! __MED_NOT_OB)
describeAE_MED46Shorter rule to catch spam obfuscation
score AE_MED464.0
--
Dan McDonald, CCIE #2495, CISSP# 78281, CNX
www.austinenergy.com
Re: [NEW SPAM FLOOD] www.shopXX.net
For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam I'm up to AE_MED45, so I wouldn't expect AE_MEDS38 and 39 to be hitting anything currently. http://pastebin.com/m40f7cff4 This is not an obfuscated domain. You can see that it hit two URIBLs - JP and WS. I would have expected it to be in URIBL_BLACK (or at least GOLD) as well as Invaluement's URIBL. There are plenty of mechanisms to catch valid URIs - that's not the purpose of the obfuscation rules. And, you still got 15 points - so, what's the problem? Relax. I don't have a problem. I was just pointing out a potential flaw. I was just trying to help out. I just misunderstood the whole blacklist thing, that's all. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
It means that if you were using BL at MTA level your SA might never have seen the message at all. No your rule would not be overlooked 'because the site is in a blacklist' *unless* you were using the BL in your MTA and rejected the transaction from a blacklisted IP address and, thus, never submitted it to SA at all. If this is the case, then why does my email have the X-* headers in it? I have nothing in my postfix header_checks to discard the BL rules. Does anyone have a detailed flow chart of SA/postfix setup and describes blacklisting? Or even a webpage describing the process? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Dan Schaefer wrote: It means that if you were using BL at MTA level your SA might never have seen the message at all. No your rule would not be overlooked 'because the site is in a blacklist' *unless* you were using the BL in your MTA and rejected the transaction from a blacklisted IP address and, thus, never submitted it to SA at all. If this is the case, then why does my email have the X-* headers in it? I have nothing in my postfix header_checks to discard the BL rules. Does anyone have a detailed flow chart of SA/postfix setup and describes blacklisting? Or even a webpage describing the process? It's very simple with Postfix or any other MTA. 1) Connection request comes to Postfix. 2) Postfix checks the sending server against its blacklists. If it matches, the mail is refused. 3) Postfix checks its normal rules and if the sender/recipient/etc is ok, the message is accepted. 4) Postfix sends the message to SA. 5) SA scores the message and returns it to Postfix (SA blacklists simply score 100 points). 6) Postfix can now deliver, quarantine or delete the message based on the score or spam/ham designation returned by SA. -- Bowie
Re: [NEW SPAM FLOOD] www.shopXX.net
On Wed, 22 Jul 2009, Dan Schaefer wrote: For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam http://pastebin.com/m40f7cff4 The URI is not obfuscated, therefore it triggered the URIBL tests properly (and scored 3 additional points from them). - C
Re: [NEW SPAM FLOOD] www.shopXX.net
Dan Schaefer wrote: If this is the case, then why does my email have the X-* headers in it? I have nothing in my postfix header_checks to discard the BL rules. Does anyone have a detailed flow chart of SA/postfix setup and describes blacklisting? Or even a webpage describing the process? Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a sender site that scans for outgoing spam, hasn't already added X-* headers to the message? Martin
Re: [NEW SPAM FLOOD] www.shopXX.net
Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a sender site that scans for outgoing spam, hasn't already added X-* headers to the message? Martin No. Is that even possible to track down? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a sender site that scans for outgoing spam, hasn't already added X-* headers to the message? No. Is that even possible to track down? There would probably be an X-Spam-Checker-Version header in your inbound mail stream. X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on pony.performanceadmin.com That is my server. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
On Thu, 23 Jul 2009, Dan Schaefer wrote: Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a sender site that scans for outgoing spam, hasn't already added X-* headers to the message? No. Is that even possible to track down? There would probably be an X-Spam-Checker-Version header in your inbound mail stream. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Perfect Security and Absolute Safety are unattainable; beware those who would try to sell them to you, regardless of the cost, for they are trying to sell you your own slavery. --- 12 days since a sunspot last seen - EPA blames CO2 emissions
Re: [NEW SPAM FLOOD] www.shopXX.net
On Thu, 2009-07-23 at 12:25 -0400, Dan Schaefer wrote: Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a sender site that scans for outgoing spam, hasn't already added X-* headers to the message? Martin No. Is that even possible to track down? Sure - look at any incoming message's headers to see if there are any that didn't come from your copy of SA. Each set has a X-spam-checker-version header that gives the name of the SA host that added that header set. If that's a possibility, just make sure your filter ignores header sets that aren't yours. AFAIK your SA header set it always the first in the message headers. Martin
Re: [NEW SPAM FLOOD] www.shopXX.net
On Thu, 23 Jul 2009, Dan Schaefer wrote: Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a sender site that scans for outgoing spam, hasn't already added X-* headers to the message? No. Is that even possible to track down? There would probably be an X-Spam-Checker-Version header in your inbound mail stream. X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on pony.performanceadmin.com That is my server. You'd have to check for that _before_ your local SA got a crack at the message. Whether you can grab a copy of mail before SA depends on your glue. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Win95: Where do you want to go today? Vista: Where will Microsoft allow you to go today? --- 12 days since a sunspot last seen - EPA blames CO2 emissions
Re: [NEW SPAM FLOOD] www.shopXX.net
(apologies for top posting, but the email software here does not really do quoting in a way that works out well otherwise) If your mail contains SpamAssassin headers then it was (obviously) processed through SpamAssassin. Just because you have BL checks in your MTA does not necessarily mean that all spam items will be blocked at that level. Lots of spam can pass some BL checks and then be scored high as the result of other things. My comments were not meant to say that BL checks stop spam. I was responding specifically to your inquiry about a rule being 'overlooked' if there happened to be a message it would hit that also had something in it that would hit a blacklist too. I think you're reading too much complexity into things. Or maybe not enough. The basic idea is something like this: a) You have some stuff specified for Postfix to do, it starts doing those things, and if it gets through them (without deciding to reject the message) to the point where you specify a call to SA, then it passes the item to SA for scoring. b) SA applies the rules (which usually include querying various blacklists based on things found within the message) and tallies up the score, then it gives the results to whatever asked it to analyze the message. c) Then whatever that was (in your case, Postfix) looks at the results and decides what to do next, based on what you specified for it. SpamAssassin does not block mail. SpamAssassin analyzes a message and assigns a score. Mail handlers reject/quarantine/discard/deliver mail. SpamAssassin is not a mail handler. If you don't understand the effects of entries in your Postfix configuration, you probably will get better assistance in a Postfix-specific forum. Dan Schaefer d...@performanceadmin.com 07/23/09 10:22 AM It means that if you were using BL at MTA level your SA might never have seen the message at all. No your rule would not be overlooked 'because the site is in a blacklist' *unless* you were using the BL in your MTA and rejected the transaction from a blacklisted IP address and, thus, never submitted it to SA at all. If this is the case, then why does my email have the X-* headers in it? I have nothing in my postfix header_checks to discard the BL rules. Does anyone have a detailed flow chart of SA/postfix setup and describes blacklisting? Or even a webpage describing the process?
Re: [NEW SPAM FLOOD] www.shopXX.net
Charles, Because we CAN'T. My point exactly. No matter what, with the current system of internet email, SPAM will never be stopped or filtered out completely. A completely new concept of verifying internet email would be required for that and unfortunately, that will never happen simply because It's all about the money and as far as this is concerned, it generates a revenue stream, it generates new technologies concepts and tax revenue. The governments not going to stifle that, the government is going to allow the industry to regulate itself, one way or the otheras long as it generates revenues and taxes. It's simply Capitalism at work. SPAM email will never be completely eliminated, it will only, ever just be minimized based on the current system. False positives, a fact of filtering that beckon for refinement, for tweaking and for precise detailing of the filters rules. Even our Good Ideas are not fallible. Without the SPAMMERS knowledge of the rules, they are static and complacent. With the SPAMMERS knowledge of the rules, they are dynamic, correctable, upgradeable and ever so more restrictive and precise over time, designed to extract precisely a balance between the legitimate and non legitimate. We can't fine-tune anything if we do not have a means of measuring our requirements. Eventually the SA rules will refine themselves to a precision that will be virtually impregnable by SPAMMERS. The sooner that happens the better and it will happen sooner as the SPAMMERS show us their means and they are adapted to our requirements. I'm sure the powers that be who make SA public as it is did so for a reason, or were not expressly concerned over it's exposure. There is nothing the SPAMMERS can send that can't be filtered to a high degree. It's not about eliminating, it's about minimizing. On Tue, 21 Jul 2009, twofers wrote: so why not let them show us what they've got, show us where we need to make adjustments and corrections and in turn we will continue to refine our process, ever so more, squeezing them out...inch by inch. Because we CAN'T. While the spammers are free to try ANY obfuscation or filter-dodging technique imaginable, we are always constrained to avoid false positives. So any time we share our 'good ideas' with them, they come closer to their 'goal' of finding the 'perfect' way to spam that we cannot filter... And as a side note, I've noticed that I might have a rule in place, like my original, simple 'shopXX' rule, and it worked for me for a couple of weeks, until people started posting rules for it here. Then the more-complex obfuscations started And we started correcting and upgrading and fine tuning our rules to meet those new requirements...all the while, the SPAMMERS were shooting themselves in the foot as far as their click rates were concernedclick rates their customers use to validate their expenses for that form of advertisement I would venture to say that the SPAMMERS were grasping or otherwise just plain teasing as their return on investment was going straight into the toilet.Wes
Re: [NEW SPAM FLOOD] www.shopXX.net
On Wed, July 22, 2009 13:16, twofers wrote: Because we CAN'T. Obama says yes we can :) My point exactly. No matter what, with the current system of internet email, just becurse main stream spammers is so clueless that thay start using recipient equal to sender evelope says thay newer got used to spf ? SPAM will never be stopped or filtered out completely. wroung A completely new concept of verifying internet email would be required for that and unfortunately, as in dkim/spf no ? that will never happen simply because It's all about the money spf and dkim is gpl and as far as this is concerned, it generates a revenue stream, where ? it generates new technologies concepts and tax revenue. where ? The governments not going to stifle that, do governments use spf/dkim ? the government is going to allow the industry to regulate itself, good :) one way or the otheras long as it generates revenues and taxes. who gets the money ? It's simply Capitalism at work. just stop paying SPAM email will never be completely eliminated, wroung, we can close our email box also it will only, ever just be minimized based on the current system. ah you now admit we can win ? False positives, a fact of filtering that beckon for refinement, imho there is none if recipient add friends to his address book, and that addressbook is dumped to whitelist_auth in sa for tweaking and for precise detailing of the filters rules. we already have to many rules in sa imho, it turns down to sender is known or not :/ Even our Good Ideas are not fallible. Without the SPAMMERS knowledge of the rules, start thinking more on what spammers cant do for us might be the route to stop spammers for just get a bunch of new meds domains with numbers in end, start using url that whitelist, but only apply white if there is no other url ! they are static and complacent. With the SPAMMERS knowledge of the rules, you belive that spammers using sa to test the spam runs ?, if yes why do i see 80% spam mails get rejected with spf testing alone ? they are dynamic, correctable, upgradeable and ever so more restrictive and precise over time, well its maybe currect that clever spammers can find another way of being clueless when using sa to test there spam goals, but it will not make most sa installs not detect it as spam, bayes can cougt anything designed to extract precisely a balance between the legitimate and non legitimate. bayes working We can't fine-tune anything if we do not have a means of measuring our requirements. currect, but if we make sure sender is not forged, and whitelist known senders, this is a start, if this is not done we have more complex work to do before its possible to stop spam also why there is so much new rules to stop new spam, its endless :/ Eventually the SA rules will refine themselves to a precision that will be virtually impregnable by SPAMMERS. dkim is nice, but it creates lots of load to test this in mta since we need to recieve whole email before dkim testing can be tested :/ thats why is say go to spf The sooner that happens the better and it will happen sooner as the SPAMMERS show us their means and they are adapted to our requirements. I'm sure the powers that be who make SA public as it is did so for a reason, its made public so any antispam users can commit rules to fight spammers where it hurts :) or were not expressly concerned over it's exposure. maybe There is nothing the SPAMMERS can send that can't be filtered to a high degree. exactly It's not about eliminating, it's about minimizing. agree -- xpoint
Re: [NEW SPAM FLOOD] www.shopXX.net
For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam http://pastebin.com/m40f7cff4 -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
On Wed, July 22, 2009 21:39, Dan Schaefer wrote: For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam http://pastebin.com/m40f7cff4 reject it with rbl testing in mta, and its found in blacklist, reason it not found in obfu is that its not obfu :) -- xpoint
Re: [NEW SPAM FLOOD] www.shopXX.net
Benny Pedersen wrote: On Wed, July 22, 2009 21:39, Dan Schaefer wrote: For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam http://pastebin.com/m40f7cff4 reject it with rbl testing in mta, and its found in blacklist, reason it not found in obfu is that its not obfu :) Does this mean that if I have a custom rule to search for exactly the via site, my rule will be overlooked because the site is in a blacklist? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
On Wed, July 22, 2009 21:56, Dan Schaefer wrote: Does this mean that if I have a custom rule to search for exactly the via site, my rule will be overlooked because the site is in a blacklist? what problem ? -- xpoint
Re: [NEW SPAM FLOOD] www.shopXX.net
From: Dan Schaefer [mailto:d...@performanceadmin.com] For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam I'm up to AE_MED45, so I wouldn't expect AE_MEDS38 and 39 to be hitting anything currently. http://pastebin.com/m40f7cff4 This is not an obfuscated domain. You can see that it hit two URIBLs - JP and WS. I would have expected it to be in URIBL_BLACK (or at least GOLD) as well as Invaluement's URIBL. There are plenty of mechanisms to catch valid URIs - that's not the purpose of the obfuscation rules. And, you still got 15 points - so, what's the problem? -- Dan
Re: [NEW SPAM FLOOD] www.shopXX.net
It means that if you were using BL at MTA level your SA might never have seen the message at all. No your rule would not be overlooked 'because the site is in a blacklist' *unless* you were using the BL in your MTA and rejected the transaction from a blacklisted IP address and, thus, never submitted it to SA at all. And those rules did not hit on the message because there isn't anything in there that they are designed to find. It does not represent another variation on the theme. But since there is a lot of other stuff that other rules did hit on, why are you worrying so much about just these few? Dan Schaefer d...@performanceadmin.com 07/22/09 3:56 PM Benny Pedersen wrote: On Wed, July 22, 2009 21:39, Dan Schaefer wrote: For those of you that manage these rules, URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as spam http://pastebin.com/m40f7cff4 reject it with rbl testing in mta, and its found in blacklist, reason it not found in obfu is that its not obfu :) Does this mean that if I have a custom rule to search for exactly the via site, my rule will be overlooked because the site is in a blacklist? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Charles, Although I understand your reservations, I feel in this case that it's best to lay it all out there and give it to them, let them do what they do. In my mind it's nothing more than Flushing out the best they can offer and finding the loopholes, and closing them up. There are more rules/ways to stop them than they have to defeat the rules and scoring process, so why not let them show us what they've got, show us where we need to make adjustments and corrections and in turn we will continue to refine our process, ever so more, squeezing them out...inch by inch. We will accomplish that goal much quicker if the spammers show us whereall our faults lie. Wes On Wed, 15 Jul 2009, MrGibbage wrote: I wonder if the spammers are reading this forum. That seemed awful fast. I'm sure they do. But I also suspect that they have a simple 'feedback' mechanism that let's them know how much of their spew is getting rejected on their botnets, and when the rejection numbers get too high they try something new, and keep trying until the rejection numbers drop again. Then we fix our rules, the rejections go up, and they look for yet another 'trick' to get through. They have the advantage of being able to download their own copies of spamassassin to 'test' their spew. That's why sometimes you get 'red herrings' from me on this list when I don't share the full details of a rule. Posting it here almost assures that it will get bypassed. They copy the rule, then try all sorts of different combinations to bypass it Now really, the significant factor here is not that any of these obfuscation tricks are 'new', but that they are using them to bypass the URIBL rules. I strongly urge the spamassassin develpopers to consider ways to 'open up' the way that we can specify what SA will 'consider' a URI, or to be able to 'capture' a value from an obfuscation test, manipulate it into its 'original' URI and then 'manually' submit it to the URIBL Example hypothetical syntax (note that some parentheses are *capturing*): body FINDURI /(www)(?:obfuscation)(domain)(?:obfuscation)(com|net|org)/i uribl CHECIT /$1.$2.$3/ Basically, allow a rule to 'capture' one or more 'matches' in Perl variables, and then feed them to a subsequent rule (in this case, a manual URIBL lookup). This way, the SA developers don't have to hard-code an ever-changing set of URI detection rules into the core code, but we can still develop on-the-fly rules that can feed a URI to the URIBL tests I've heard people mention 'plugins'. Could I code one that would be easily 'modifiable' so that (for example) this morning's '[dot]' trick can be quickly added to my plugin? Is there a good working example of a plugin that extracts text from a message and feeds it to a URI? I'll work on this! - C
Re: [NEW SPAM FLOOD] www.shopXX.net
On Tue, 21 Jul 2009, twofers wrote: so why not let them show us what they've got, show us where we need to make adjustments and corrections and in turn we will continue to refine our process, ever so more, squeezing them out...inch by inch. Because we CAN'T. While the spammers are free to try ANY obfuscation or filter-dodging technique imaginable, we are always constrained to avoid false positives. So any time we share our 'good ideas' with them, they come closer to their 'goal' of finding the 'perfect' way to spam that we cannot filter... And as a side note, I've noticed that I might have a rule in place, like my original, simple 'shopXX' rule, and it worked for me for a couple of weeks, until people started posting rules for it here. Then the more-complex obfuscations started Further to my original post, I haven't read all of today's mail yet, but I suspec there is not an answer yet to this question, but I wish to reiterate it, with a further comment. The comment is that I was looking at plugins and noticed that there was one to follow URI's that appear to be redirects, and 'add' the target URI to the internal list of URI's to be run through the URIBL. I tried to look at the script to see if I could modify it to my purpose, but just can't figure it out. (sigh) But it would be a good starting basis for the plugin I am hoping to see. Original request: I strongly urge the spamassassin develpopers to consider ways to 'open up' the way that we can specify what SA will 'consider' a URI, or to be able to 'capture' a value from an obfuscation test, manipulate it into its 'original' URI and then 'manually' submit it to the URIBL Example hypothetical syntax (note that some parentheses are *capturing*): body FINDURI /(www)(?:obfuscation)(domain)(?:obfuscation)(com|net|org)/i uribl CHECKIT /$1.$2.$3/ Basically, allow a rule to 'capture' one or more 'matches' in Perl variables, and then feed them to a subsequent rule (in this case, a manual URIBL lookup). This way, the SA developers don't have to hard-code an ever-changing set of URI detection rules into the core code, but we can still develop on-the-fly rules that can feed a URI to the URIBL tests I've heard people mention 'plugins'. Could I code one that would be easily 'modifiable' so that (for example) this morning's '[dot]' trick can be quickly added to my plugin? Is there a good working example of a plugin that extracts text from a message and feeds it to a URI? I'll work on this! - C
Re: [NEW SPAM FLOOD] www.shopXX.net
Sometimes I wished everyone getting involved in heated discussions and
proposals, also would carefully read any post with a related topic...
On Tue, 2009-07-21 at 11:29 -0400, Charles Gregory wrote:
Further to my original post, I haven't read all of today's mail yet, but
FWIW, neither did I, as I am busy hacking -- and now live. ;)
Original request:
I strongly urge the spamassassin develpopers to consider ways to
'open up' the way that we can specify what SA will 'consider' a URI, or
to be able to 'capture' a value from an obfuscation test, manipulate it
into its 'original' URI and then 'manually' submit it to the URIBL
I did leak the other day, that I actually am hacking such a beast.
It works, but there's still some things to re-write properly. Stay
tuned. I'll announce it, when it is reasonably safe to use. Just be a
little bit patient, will ya? ;)
I was brief about this topic before, and I won't mention any details
today either. The above should be clear enough.
guenther
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [NEW SPAM FLOOD] www.shopXX.net
Sometimes I wished everyone getting involved in heated discussions and proposals, also would carefully read any post with a related topic... I did leak the other day, that I actually am hacking such a beast. Sorry. Sometimes the mailbox overload is a bit much, and I just have to delete things which 'seem' outside the central topics I'm following. Still very glad to hear that something is in the works... :) It works, but there's still some things to re-write properly. Stay tuned. I'll announce it, when it is reasonably safe to use. Just be a little bit patient, will ya? ;) (smile) Thanks. - charles
Re: [NEW SPAM FLOOD] www.shopXX.net
On Wed, 15 Jul 2009, MrGibbage wrote: I wonder if the spammers are reading this forum. That seemed awful fast. I'm sure they do. But I also suspect that they have a simple 'feedback' mechanism that let's them know how much of their spew is getting rejected on their botnets, and when the rejection numbers get too high they try something new, and keep trying until the rejection numbers drop again. Then we fix our rules, the rejections go up, and they look for yet another 'trick' to get through. They have the advantage of being able to download their own copies of spamassassin to 'test' their spew. That's why sometimes you get 'red herrings' from me on this list when I don't share the full details of a rule. Posting it here almost assures that it will get bypassed. They copy the rule, then try all sorts of different combinations to bypass it Now really, the significant factor here is not that any of these obfuscation tricks are 'new', but that they are using them to bypass the URIBL rules. I strongly urge the spamassassin develpopers to consider ways to 'open up' the way that we can specify what SA will 'consider' a URI, or to be able to 'capture' a value from an obfuscation test, manipulate it into its 'original' URI and then 'manually' submit it to the URIBL Example hypothetical syntax (note that some parentheses are *capturing*): body FINDURI /(www)(?:obfuscation)(domain)(?:obfuscation)(com|net|org)/i uribl CHECIT /$1.$2.$3/ Basically, allow a rule to 'capture' one or more 'matches' in Perl variables, and then feed them to a subsequent rule (in this case, a manual URIBL lookup). This way, the SA developers don't have to hard-code an ever-changing set of URI detection rules into the core code, but we can still develop on-the-fly rules that can feed a URI to the URIBL tests I've heard people mention 'plugins'. Could I code one that would be easily 'modifiable' so that (for example) this morning's '[dot]' trick can be quickly added to my plugin? Is there a good working example of a plugin that extracts text from a message and feeds it to a URI? I'll work on this! - C
Re: [NEW SPAM FLOOD] www.shopXX.net
On Wed, 15 Jul 2009, MrGibbage wrote: I wonder if the spammers are reading this forum. That seemed awful fast. Of course they are. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #20: The faster you finish the fight, the less shot you will get. --- Tomorrow: the 64th anniversary of the dawn of the Atomic Age
Re: [NEW SPAM FLOOD] www.shopXX.net
Which of course means we've long since passed the point where any of these are going to do the spammers any good. That's the frustrating part. I thought that the point was that since it cost a spammer the same to send out a million emails as to send out one, he was happy if only one of the recipients responded. I live in the UK. The chances of anyone here buying prescription drugs from a web site are non-existent: they are paid for either by the health service or (for those who have medical insurance) by insurers. And the, er, get it up medicines are now available over the counter. Yet all co.uk addresses get mountains of this type of spam which presumably sell nothing. I find it quicker to delete them manually rather than spending time altering a regex and restarting SA. Roger -- View this message in context: http://www.nabble.com/-NEW-SPAM-FLOOD--www.shopXX.net-tp24139422p24486959.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [NEW SPAM FLOOD] www.shopXX.net
If I might interject. This seems to be an excellent occasion for
the PerlRE 'negative look-ahead' code (excuse the line wrap):
body =~ /(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)/i
...unless someone can think of an FP for this rule?
- C
Re: [NEW SPAM FLOOD] www.shopXX.net
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
www. meds .com
Re: [NEW SPAM FLOOD] www.shopXX.net
On Mon, 2009-07-13 at 16:03 +0100, rich...@buzzhost.co.uk wrote:
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
www. meds .com
It shouldn't. The spammers have been using domains with 2-4 alpha
characters and 2 digits.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
Re: [NEW SPAM FLOOD] www.shopXX.net
On Mon, 13 Jul 2009, rich...@buzzhost.co.uk wrote:
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
www. meds .com
Correct. With spaces being one of the possible obfuscation characters,
this otherwise 'broad' rule is limited to the cookie-cutter URL's with
numeric suffixes in the hostnames - something unlikely to appear in
conversational text like whether the [www can com]municate ideas... :)
- Charles
Re: [NEW SPAM FLOOD] www.shopXX.net
On Mon, 13 Jul 2009, McDonald, Dan wrote:
On Mon, 2009-07-13 at 16:03 +0100, rich...@buzzhost.co.uk wrote:
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
www. meds .com
It shouldn't. The spammers have been using domains with 2-4 alpha
characters and 2 digits.
Why be restrictive on the domain name?
\b(?!www\.\w{2,20}\.(?:com|net|org))www[^a-z0-9]+\w{2,20}[^a-z0-9]+(?:com|net|org)\b
The + signs are a little risky, it might be better to use {1,3} instead.
And the older rule allowed for spaces in the TLD. I don't recall if
anybody provided more than one spample with that though.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Users mistake widespread adoption of Microsoft Office for the
development of a document format standard.
---
3 days until the 64th anniversary of the dawn of the Atomic Age
Re: [NEW SPAM FLOOD] www.shopXX.net
On Mon, 13 Jul 2009, Charles Gregory wrote:
On Mon, 13 Jul 2009, rich...@buzzhost.co.uk wrote:
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
www. meds .com
Correct. With spaces being one of the possible obfuscation characters,
this otherwise 'broad' rule is limited to the cookie-cutter URL's with
numeric suffixes in the hostnames - something unlikely to appear in
conversational text like whether the [www can com]municate ideas... :)
That possible FP is why \b are important in the rule.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Users mistake widespread adoption of Microsoft Office for the
development of a document format standard.
---
3 days until the 64th anniversary of the dawn of the Atomic Age
Re: [NEW SPAM FLOOD] www.shopXX.net
On Mon, 13 Jul 2009, John Hardin wrote:
Why be restrictive on the domain name?
If a conservative spec is sufficient to match the spam, then we're
helping avoid false positives I'd rather tweak the rule to
catch the new tricks of the spammer than overgeneralize. :)
The + signs are a little risky, it might be better to use {1,3} instead.
(nod) Though without the '/m' option it would be limited to the same line.
My thinking is that a spammer would quickly figure out to add more
obfuscation, and there is little risk of a false positive occuring with
that kind of broad spacing and an xxx99 domain name
And the older rule allowed for spaces in the TLD. I don't recall if
anybody provided more than one spample with that though.
I've not seen it too much, though it doesn't hurt to keep it in the
rule. I actually added it back into my live rule after I posted
To answer your next post, I don't use '\b' because the next 'trick' coming
will likely be something looking like Xwww herenn comX... :)
- C
Re: [NEW SPAM FLOOD] www.shopXX.net
On Mon, 13 Jul 2009, Charles Gregory wrote:
On Mon, 13 Jul 2009, John Hardin wrote:
Why be restrictive on the domain name?
If a conservative spec is sufficient to match the spam, then we're
helping avoid false positives I'd rather tweak the rule to
catch the new tricks of the spammer than overgeneralize. :)
Fair enough.
The + signs are a little risky, it might be better to use {1,3}
instead.
(nod) Though without the '/m' option it would be limited to the same
line.
body rules work on paragraphs, but you are right, the badness has an upper
limit.
My thinking is that a spammer would quickly figure out to add more
obfuscation, and there is little risk of a false positive occuring with
that kind of broad spacing and an xxx99 domain name
Again, fair enough. But there's a limit to how complex the obfuscation can
be made, though, because there's a point where people won't deobfuscate
the URI to visit it.
To answer your next post, I don't use '\b' because the next 'trick'
coming will likely be something looking like Xwww herenn comX... :)
At that point it can be dealt with. Until then, using \b is an important
way to avoid FPs.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Ignorance doesn't make stuff not exist. -- Bucky Katt
---
3 days until the 64th anniversary of the dawn of the Atomic Age
Re: [NEW SPAM FLOOD] www.shopXX.net
On Mon, 13 Jul 2009, John Hardin wrote:
The + signs are a little risky, it might be better to use {1,3} instead.
(nod) Though without the '/m' option it would be limited to the same line.
body rules work on paragraphs, but you are right, the badness has an upper
limit.
Ugh. Forgot it was 'paragraphs' and not 'lines' (and I just had that
drilled into me recently, too). Paragraphs are too long. I'll switch it
to a specific limit
To answer your next post, I don't use '\b' because the next 'trick' coming
will likely be something looking like Xwww herenn comX... :)
At that point it can be dealt with.
Well, they're getting close. I'm seeing non-alpha non-blank crud cozied up
to the front of the 'www' now :)
- C
Re: [NEW SPAM FLOOD] www.shopXX.net
Chris Owen wrote:
On Jul 13, 2009, at 2:55 PM, Charles Gregory wrote:
To answer your next post, I don't use '\b' because the next 'trick'
coming
will likely be something looking like Xwww herenn comX... :)
At that point it can be dealt with.
Well, they're getting close. I'm seeing non-alpha non-blank crud
cozied up to the front of the 'www' now :)
Not forgetting underscores are not word boundaries. My alternative
rules are badly written but are still hitting with the \b:
rawbody NONLINK_SHORT
/^.{0,500}\b(?:H\s*T\s*T\s*P\s*[:;](?!http:)\W{0,10}|W\s{0,10}W\s{0,10}W\s{0,10}(?:[.,\'`_+\-]\s{0,10})?(?!www\.))[a-z0-9\-]{3,13}\s{0,10}(?:[.,\'`_+\-]\s{0,10})?(?![a-z0-9]\.)(?:net|c\s{0,10}o\s{0,10}m|org|info|biz)\b/si
describe NONLINK_SHORT Obfuscated link near top of text
score NONLINK_SHORT 2.5
#quite strict:
rawbody NONLINK_VSHORT /^.{0,100}\bwww{0,2}(?:\. | \.|
?[,*_\-\+] ?)[a-z]{2,5}[0-9\-]{1,5}(?:\. | \.| ?[,*_\-\+]
?)(?:net|c\s{0,10}o\s{0,10}m|org|info|biz)(?:\. \S|\s*$)/s
describe NONLINK_VSHORT Specific obfuscated link form near top
of text
score NONLINK_VSHORT2.5
(These use rawbody with a caret to limit the area of matching to the
first few lines.)
So how about dropping the \b and using something looser like: 'w
?w(?!\.[a-z0-9\-]{2,12}\.(?:com|info|net|org|biz))[[:punct:]X
]{1,4}[a-z0-9\-]{2,12}[[:punct:]X ]{1,4}(?:c ?o ?m|info|n ?e ?t|o ?r
?g|biz)([[:punct:]X ]|$)' ...?
Which of course means we've long since passed the point where any of
these are going to do the spammers any good. That's the frustrating part.
You're making the common assumption that spammers send UCE because it
makes them money. In fact they do it because they are obnoxious
imbeciles who want to annoy people and waste as much time (human and
CPU) as possible. I don't think it really matters to them that what
they are sending is incomprehensible noise, because noise is their message.
Cheers
CK
Re: [NEW SPAM FLOOD] www.shopXX.net
2009/7/11 Sim simvi...@gmail.com:
New rules:
body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_BOTH
/\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_END_SP
/[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_PUNCT
/[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_DOT
/[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_BOTH
/[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT ||
__MED_BEG_BOTH ) (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT ||
__MED_END_BOTH) ! (__MED_BEG_DOT __MED_END_DOT )
describe AE_MED42 rule to catch still more spam obfuscation
score AE_MED42 4.0
Hi Dan,
very very thanks!
It's perfect for all variant!
Regards
Hi!
Again tipology. Rpace Against the Clocck.www_ze44_com
:-(
Spammer observe us!
Re: [NEW SPAM FLOOD] www_nu26_com
On Sat, 11 Jul 2009, Jason L Tibbitts III wrote: I still wonder, though, if we shouldn't be turning these back into hostnames and looking them up in the regular URI blacklists Given the obvious objections to having the primary URIBL mechanism try to parse obfuscations, I once again question why we cannot have some sort of mechanism for 'capturing' the values of ordinary tests (such as the overly comnplex rule to catch these uribl obfuscations) and then have that value to manually feed to another test? There would be some interesting details to such a thing, for instance, if a rule matches more than one obfuscated URI, the 'capture' mechansim would have to somehow 'deliver' each captured value as an iteration of any check/test that included it But for cases like this URI stuff, something 'flexible' is needed - Charles
RE: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 10 Jul 2009, McDonald, Dan wrote:
They have. They are using underscores, which are a [:punct:], but don't form a
\b break.
New rules:
body__MED_BEG_SP/\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_BOTH
/\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
body__MED_END_SP
/[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_END_PUNCT
/[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_END_DOT
/[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_END_BOTH
/[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
metaAE_MED42(__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH )
(__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) !
(__MED_BEG_DOT __MED_END_DOT )
describe AE_MED42 rule to catch still more spam obfuscation
score AE_MED424.0
I think that can be simplified somewhat by reversing the obfuscation
matches:
body URI_OBFU_WWW
/\bw{2,3}[^[:alnum:]]{1,3}\w{1,20}(?:(?!\.[[:alnum:]])[^[:alnum:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe URI_OBFU_WWW Obfuscated URI
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
---
4 days until the 64th anniversary of the dawn of the Atomic Age
RE: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
MD == McDonald, Dan dan.mcdon...@austinenergy.com writes:
MD They are using underscores, which are a [:punct:], but don't form
MD a \b break.
I'm becoming confused as to what they could possibly hope to
accomplish by that.
right now I think they are sticking it to us. That and they must get
some
sort of jollies describing sick sex acts to little old ladies.
Yes, I know, don't question the motives of spammers for their
stupidity and madness may be contagious, but still. Surely they must
expect some kind of click rate.
I expect they will tire quickly of this game. I was expecting commas
before underscores, but even that is a loss now. So, they will have
to
play a new game, and we can start all over with the fun.
One of my customers has this in their Postfix body blocks and it seems
to do well. No doubt it could be adapted to SA or even made more 'curt'
/www((\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10})[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}|\.)|\.[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}))(net|com)/REJECT body contains officated uri
Use it at your own risk
Re: [NEW SPAM FLOOD] www.shopXX.net
New rules:
body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
body __MED_BEG_BOTH
/\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
body __MED_END_SP
/[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_PUNCT
/[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_DOT
/[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body __MED_END_BOTH
/[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT ||
__MED_BEG_BOTH ) (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT ||
__MED_END_BOTH) ! (__MED_BEG_DOT __MED_END_DOT )
describe AE_MED42 rule to catch still more spam obfuscation
score AE_MED42 4.0
Hi Dan,
very very thanks!
It's perfect for all variant!
Regards
---
Sim
Re: [NEW SPAM FLOOD] www.shopXX.net
Dnia 2009-07-10, pią o godzinie 16:48 -0700, fchan pisze: Don't tempt them, I already get enough spam not only from these guys. Also they will flood the network with smtp useless connections and unless you have good network attack mitigation system so you don't have a DDoS, don't tempt them. Please don't be affraid and help to beat them. Do you only update your local rules? I think it's not sufficient reaction. We also should send abuse reports to Internet providers of spammers. They have to shutdown that website. P.
RE: [NEW SPAM FLOOD] www.shopXX.net
From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
MD == McDonald, Dan dan.mcdon...@austinenergy.com writes:
MD They are using underscores, which are a [:punct:], but don't form
MD a \b break.
One of my customers has this in their Postfix body blocks and it seems
to do well. No doubt it could be adapted to SA or even made more 'curt'
/www((\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10})[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}|\.)|\.[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}))(net|com)/REJECT body contains officated uri
Use it at your own risk
it won't hit anything now. They aren't using periods any more. They
switched to underscores last night, and commas this morning. Be ready
for exclamation points later today! Their click rate has to be dropping
like a rock and the only purpose at this point is to annoy us.
RE: [NEW SPAM FLOOD] www.shopXX.net
On Sat, 2009-07-11 at 07:14 -0500, McDonald, Dan wrote:
From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
MD == McDonald, Dan dan.mcdon...@austinenergy.com writes:
MD They are using underscores, which are a [:punct:], but don't
form
MD a \b break.
One of my customers has this in their Postfix body blocks and it
seems
to do well. No doubt it could be adapted to SA or even made more
'curt'
/www((\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10})[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}|\.)|\.[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}))(net|com)/REJECT body contains officated
uri
Use it at your own risk
it won't hit anything now. They aren't using periods any more. They
switched to underscores last night, and commas this morning. Be ready
for exclamation points later today! Their click rate has to be
dropping
like a rock and the only purpose at this point is to annoy us.
I guess it goes without saying to duplicate the rule for other options ?
I've added duplicates for all the obvious characters on the keyboard -
I'm just waiting to see some more creativity from them :-)
Re: [NEW SPAM FLOOD] www_nu26_com
MD == McDonald, Dan dan.mcdon...@austinenergy.com writes: MD The rules I posted last night catch those. They switched from MD underscores to commas this morning, and my rules still catch them. FYI, they're also using plus signs, which also seem to be caught properly by your rules. I think we're good until they switch to alphanumerics like wwwZnu26Ycom, which we should be able to filter out pretty trivially. I still wonder, though, if we shouldn't be turning these back into hostnames and looking them up in the regular URI blacklists, because the looser we make the rules, the larger the chance of false positives. Not sure if spamassassin actually permits that, however. - J
RE: [NEW SPAM FLOOD] www_nu26_com
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu] MD == McDonald, Dan dan.mcdon...@austinenergy.com writes: MD The rules I posted last night catch those. They switched from MD underscores to commas this morning, and my rules still catch them. I still wonder, though, if we shouldn't be turning these back into hostnames and looking them up in the regular URI blacklists, because the looser we make the rules, the larger the chance of false positives. That's why I have the exclude two dots part of the rule. My first attempt was getting a lot of false positives. Anyone obfuscating the domain name, IMHO, is definitely asking to be blocked. -- Dan McDonald, CCIE # 2495, CISSP # 78281, CNX
Re: [NEW SPAM FLOOD] www.shopXX.net
/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
^
John,
Thanks a lot for rule update! It works fine. I can say it's nearly
perfect, because it missing only one small back-slash :) Please look
above.
D'oh!
That, plus some other fixes:
/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
Hello world ;-)
I'm using it without good results for this format:
bla bla www. site. net. bla bla
Have you any idea?
Regards
---
Sim
Re: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 2009-07-10 at 17:11 +0200, Sim wrote:
/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
^
John,
Thanks a lot for rule update! It works fine. I can say it's nearly
perfect, because it missing only one small back-slash :) Please look
above.
D'oh!
That, plus some other fixes:
/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
Hello world ;-)
I'm using it without good results for this format:
bla bla www. site. net. bla bla
Have you any idea?
Regards
Yes, remove the outer parentheses.
Here are the rules I am using:
bodyAE_MEDS35 /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00
bodyAE_MEDS38
/\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS38 rule to catch next wave of obfuscated domains
score AE_MEDS38 1.0
bodyAE_MEDS39
/\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe AE_MEDS39 rule to catch still more spam obfuscation
score AE_MEDS39 4.0
AE_MEDS38 finds domains with spaces in them, and AE_MEDS39 finds domains
with dots and spaces. You might want to bump up the score on AE_MEDS38,
but I haven't had a false negative that would have benefited from it in
a while, so I haven't bothered.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
Re: [NEW SPAM FLOOD] www.shopXX.net
McDonald, Dan wrote:
Yes, remove the outer parentheses.
Here are the rules I am using:
bodyAE_MEDS35 /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00
bodyAE_MEDS38
/\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS38 rule to catch next wave of obfuscated domains
score AE_MEDS38 1.0
bodyAE_MEDS39
/\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe AE_MEDS39 rule to catch still more spam obfuscation
score AE_MEDS39 4.0
Since we're sharing rules for this recent Spam outbreak, here is my rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|com)/
score DRUG_SITE 0.5
describe DRUG_SITE Test to find spam drug sites in recent emails
Notice my score is low, because I'm not sure it's 100% accurate.
--
Dan Schaefer
Application Developer
Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 10 Jul 2009, Sim wrote:
/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
I'm using it without good results for this format:
bla bla www. site. net. bla bla
Have you any idea?
There are no digits in that URI.
If this becomes common, change the \d{2,6} to \d{0,6}, but that will
increase the risk of FP somewhat.
Dan: there are no parentheses in that RE that attempt to match the message
text, they are all grouping parentheses.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
The Constitution is a written instrument. As such its meaning does
not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
---
10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 2009-07-10 at 11:39 -0400, Daniel Schaefer wrote:
McDonald, Dan wrote:
Since we're sharing rules for this recent Spam outbreak, here is my rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|com)/
You should avoid the use of *, as it allows spammers to consume all of
your memory and cpu. limit it using the {} syntax. You also should
tell perl to not keep the results of your () with (?:\.|\ ) instead of
(\.|\ ). And with single characters, the [ab] syntax is faster to
process than (?:a|b).
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
Re: [NEW SPAM FLOOD] www.shopXX.net
McDonald, Dan wrote:
Since we're sharing rules for this recent Spam outbreak, here is my
rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|
com)/
You should avoid the use of *, as it allows spammers to consume all of
your memory and cpu. limit it using the {} syntax. You also should
tell perl to not keep the results of your () with (?:\.|\ ) instead of
(\.|\ ). And with single characters, the [ab] syntax is faster to
process than (?:a|b).
Perhaps you could attach an example showing exactly what your stating for
this rule?
CONFIDENTIALITY: This e-mail message is for the sole use of the intended
recipient(s) and may contain confidential and / or privileged information. Any
unauthorized review, use, disclosure or distribution of any kind is strictly
prohibited. If you are not the intended recipient, please contact the sender
via reply e-mail and destroy all copies of the original message. Thank you.
Re: [NEW SPAM FLOOD] www.shopXX.net
Gerry Maddock wrote:
McDonald, Dan wrote:
Since we're sharing rules for this recent Spam outbreak, here is my
rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|
com)/
You should avoid the use of *, as it allows spammers to consume all of
your memory and cpu. limit it using the {} syntax. You also should
tell perl to not keep the results of your () with (?:\.|\ ) instead of
(\.|\ ). And with single characters, the [ab] syntax is faster to
process than (?:a|b).
Perhaps you could attach an example showing exactly what your stating for
this rule?
This is my new rule. I think this is what he means:
body DRUG_SITE /www[\.\
]*(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}[\.\
]*(?:net|com)/
--
Dan Schaefer
Application Developer
Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Yes, remove the outer parentheses.
Here are the rules I am using:
body AE_MEDS35 /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00
body AE_MEDS38
/\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS38 rule to catch next wave of obfuscated domains
score AE_MEDS38 1.0
body AE_MEDS39
/\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe AE_MEDS39 rule to catch still more spam obfuscation
score AE_MEDS39 4.0
AE_MEDS38 finds domains with spaces in them, and AE_MEDS39 finds domains
with dots and spaces. You might want to bump up the score on AE_MEDS38,
but I haven't had a false negative that would have benefited from it in
a while, so I haven't bothered.
Very good!
Thanks a lot!
Regards and good week-end!
---
Sim
Re: [NEW SPAM FLOOD] www.shopXX.net
2009/7/10 John Hardin jhar...@impsec.org:
On Fri, 10 Jul 2009, Sim wrote:
/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
I'm using it without good results for this format:
bla bla www. site. net. bla bla
Have you any idea?
There are no digits in that URI.
If this becomes common, change the \d{2,6} to \d{0,6}, but that will
increase the risk of FP somewhat.
Dan: there are no parentheses in that RE that attempt to match the message
text, they are all grouping parentheses.
Good solution John,
very thanks!
Regards
---
Sim
Re: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Gerry Maddock wrote:
McDonald, Dan wrote:
body DRUG_SITE /www(\.|\
) *(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\
) )*(net|com)/
You should avoid the use of *, as it allows spammers to consume all
of your memory and cpu. limit it using the {} syntax. You also
should tell perl to not keep the results of your () with (?:\.|\ )
instead of (\.|\ ). And with single characters, the [ab] syntax is
faster to process than (?:a|b).
Perhaps you could attach an example showing exactly what your stating
for this rule?
This is my new rule. I think this is what he means:
body DRUG_SITE /www[\.\
] *(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}[\.\ *(?:net|com)/
You missed some of the suggestions.
Try this:
body DRUG_SITE
/\bwww[.\s]{1,3}(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)\d{2}[.\s]{1,3}(?:net|com)\b/
Also, if the spammers start registering three-digit domain names, this
will start missing. Something like \d{2,5} would be better.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Gun Control laws cannot reduce violent crime, because gun control
laws focus obsessively on a tool a criminal might use to commit a
crime rather than the criminal himself and his act of violence.
---
10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: [NEW SPAM FLOOD] www.shopXX.net
John Hardin wrote:
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Gerry Maddock wrote:
McDonald, Dan wrote:
body DRUG_SITE /www(\.|\
) *(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\
) )*(net|com)/
You should avoid the use of *, as it allows spammers to consume
all of your memory and cpu. limit it using the {} syntax. You
also should tell perl to not keep the results of your () with
(?:\.|\ ) instead of (\.|\ ). And with single characters, the
[ab] syntax is faster to process than (?:a|b).
Perhaps you could attach an example showing exactly what your stating
for this rule?
This is my new rule. I think this is what he means:
body DRUG_SITE /www[\.\ ]
*(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}[\.\
*(?:net|com)/
You missed some of the suggestions.
Try this:
body DRUG_SITE
/\bwww[.\s]{1,3}(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)\d{2}[.\s]{1,3}(?:net|com)\b/
Also, if the spammers start registering three-digit domain names, this
will start missing. Something like \d{2,5} would be better.
Doesn't the . (period) need escaped in this? [.\s]{1,3}
--
Dan Schaefer
Application Developer
Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Doesn't the . (period) need escaped in this? [.\s]{1,3}
Nope. [] means explicit set of characters, and . = any character
conflicts with that context.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Gun Control laws cannot reduce violent crime, because gun control
laws focus obsessively on a tool a criminal might use to commit a
crime rather than the criminal himself and his act of violence.
---
10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: [NEW SPAM FLOOD] www.shopXX.net
John Hardin wrote:
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Doesn't the . (period) need escaped in this? [.\s]{1,3}
Nope. [] means explicit set of characters, and . = any
character conflicts with that context.
Thanks for the clarification. I'm still learning REs.
--
Dan Schaefer
Application Developer
Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Am 2009-07-10 11:39:02, schrieb Daniel Schaefer:
Since we're sharing rules for this recent Spam outbreak, here is my rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\
)*(net|com)/
score DRUG_SITE 0.5
describe DRUG_SITE Test to find spam drug sites in recent emails
Notice my score is low, because I'm not sure it's 100% accurate.
Does not hit:
Problems in Getting the sex Life Ymoou Want and Deserve - Starting With E
www.ma29. net. Californian Finds Pit Blul Under hTe Hood
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
http://www.tamay-dogan.net/ Michelle Konzack
http://www.can4linux.org/ c/o Vertriebsp. KabelBW
http://www.flexray4linux.org/ Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de 77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33 6 61925193
signature.pgp
Description: Digital signature
Re: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 10 Jul 2009, McDonald, Dan wrote:
body__MED_END_BOTH
/\b[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
Let's see how long it takes them to come up with a workaround for this!
A domain name with 7+ letters? www. goodmeds123. com ? :)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
If healthcare is a Right means that the government is obligated
to provide the people with hospitals, physicians, treatments and
medications at low or no cost, then the right to free speech means
the government is obligated to provide the people with printing
presses and public address systems, the right to freedom of
religion means the government is obligated to build churches for the
people, and the right to keep and bear arms means the government is
obligated to provide the people with guns, all at low or no cost.
---
10 days until the 40th anniversary of Apollo 11 landing on the Moon
