Re: [courier-users] A pythonfilter module for recent gibberish spam

[Lindsay Haisley]

Here's an update on my gibberish.py courier pythonfilter module. This
takes into account the latest metastasis of this form of gibberish spam
in which different random patterns occur on alternate lines. The module
will looks at successive lines, one at a time, and if no two match in
succession, it looks at every other line for matches, and then every
3rd line, etc., up to skipLines lines. If a line is shorter than
gibChars, it eats an extra line and continues with the same skip value.

I think this code is OK, but Gordon might want to pass off on it. I'm
tired, and it took me a long time to get this working :(  But it does
work here.

Comment out the syslog invocation to save log space. This is debugging
information, but may also be useful for automated log analysis.

This code could probably be tightened up considerably. I'm using a
couple of python iterators, and there may (probably) be faster ways to
do this using simple list index value arithmetic.

I HATE spammers!

-- 
Lindsay Haisley   | "UNIX is user-friendly, it just
FMP Computer Services |   chooses its friends."
512-259-1190  |  -- Andreas Bogk
http://www.fmp.com|

#!/usr/bin/python
# vim: set expandtab ai ts=4:

import sys
import os.path
import courier.config
import courier.control

maxMsgSize = 200
# Maximum message size. Pass if larger.

checkLines = 100
# Number of lines (including headers) to check for repetitive gibberish

gibLines = 40
# Number of consecutive gibberish lines required for rejection

gibChars = 10
# Number of characters to check in each line for repetitive gibberish

skipLines = 4
# Number of lines to scan for repetitive duplicates


def initFilter():
courier.config.applyModuleConfig('gibberish.py', globals())
# Record in the system log that this filter was initialized.
sys.stderr.write('Initialized the "gibberish" python filter\n')

def piter(arr,n):
iterLines = iter(arr)
iterArr = []
for foo in iterLines:
for r in range(n):
foo = next(iterLines,False)
if foo and len(foo) >= gibChars:
iterArr.append(foo)
else:
foo = next(iterLines,False)
return iter(iterArr)

def gibDetect(bf):
global gLskip
a = []
bfh = open(bf)
for i in range(checkLines):
a.append(bfh.readline())

lfcount = 0
lcount = 0
lastlf = ''
subject = ''

for l in a:
if not subject:
if l[:8] == "Subject:":
subject = l[9:]
break

for lskip in range(skipLines):
for l in piter(a,lskip):
lf = l[:gibChars]
if lf == lastlf and not " " in lf:
lfcount += 1
if lfcount >= gibLines:
gLskip = lskip
return ("gibberish: %s: match: %s" % (subject.rstrip(), lastlf))
else:
lastlf = lf
lfcount = 0
gLskip = lskip
return None

def doFilter(bodyFile, controlFileList):
msgSize = os.path.getsize(bodyFile)
if msgSize > maxMsgSize:
return ''

n = gibDetect(bodyFile)
if n:
sender = courier.control.getSendersMta(controlFileList) 
S.syslog(S.LOG_INFO | S.LOG_MAIL, n + "; " + sender[5:] + ": lskip=%s" % gLskip)
return "500 gibberish spam from %s" % sender
return ''

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] A pythonfilter module for recent gibberish spam

[Lindsay Haisley]

On Sat, 2016-09-24 at 10:29 -0700, Gordon Messmer wrote:
> On 09/22/2016 02:11 PM, Lindsay Haisley wrote:
> > 
> > Gordon, take a look at this code and if you have any suggestions
> > please
> > post them.
> 
> Do you have a sample of the messages this targets?

No sooner have I put gibberish.py into service than the format of this
spam changed. It's now using alternate lines of repeating gibberish.
I'm going to have to modify my pythonfilter to accomodate it. I think
they're watching me :(

I'm getting very tired of playing whack-a-mole with these jerks!

Attached is a sample

-- 
Lindsay Haisley   | "UNIX is user-friendly, it just
FMP Computer Services |   chooses its friends."
512-259-1190  |  -- Andreas Bogk
http://www.fmp.com|



new_gibberish.tgz
Description: application/compressed-tar
--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] A pythonfilter module for recent gibberish spam

[Lindsay Haisley]

On Sat, 2016-09-24 at 10:29 -0700, Gordon Messmer wrote:
> On 09/22/2016 02:11 PM, Lindsay Haisley wrote:
> > 
> > Gordon, take a look at this code and if you have any suggestions
> > please
> > post them.
> 
> Do you have a sample of the messages this targets?

Sure - attached.

I've made a couple of mods to gibberish.py since I posted about it. The
code is cleaner and logs are more useful. Sorry about the sloppiness in
my email and code last post. I was tired!

I've been running the gibberish.py filter for several days now and it's
working fine - nothing gets through and no false positives :)

-- 
Lindsay Haisley   | "UNIX is user-friendly, it just
FMP Computer Services |   chooses its friends."
512-259-1190  |  -- Andreas Bogk
http://www.fmp.com|



gibberish_spam.tar.gz
Description: application/compressed-tar
--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] A pythonfilter module for recent gibberish spam

[Gordon Messmer]

On 09/22/2016 02:11 PM, Lindsay Haisley wrote:
> Gordon, take a look at this code and if you have any suggestions please
> post them.


Do you have a sample of the messages this targets?


--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] A pythonfilter module for recent gibberish spam

[Lindsay Haisley]

I've been receiving a steady stream of spam with the following body
format:

[3 centered images, referenced by URLs]
[A short line of random characters, or sometimes a