I'm with Theo on this one. The obfuscation is a red herring. And its working
for them. Don't even bother to look at. I honestly haven't put much effort
into these spams yet. Been too buys with $dayjob. I'll start looking into
these. But I won't waste my time directly attacking their OBFU. Its
Chris Santerre writes:
I'm with Theo on this one. The obfuscation is a red herring. And its working
for them. Don't even bother to look at. I honestly haven't put much effort
into these spams yet. Been too buys with $dayjob. I'll start looking into
these. But I won't waste my time directly
My 2p. YMMV and of course the spammers will continue to make minor
changes to avoid it and some ham will no doubt be hit as well:
/etc/mail/spamassassin/important_remove.cf
body __IR_IMPO /\bimpor*tant/i
body __IR_REMO /\bremove/i
body __IR_LINK /\blink/i
body __IR_REPL
On Mon, 2007-02-05 at 18:46 -0800, Kenneth Porter wrote:
On Tuesday, February 06, 2007 12:31 AM +0100 Chr. v. Stuckrad
[EMAIL PROTECTED] wrote:
So what really will be needed, would be a combination of
Rules for 'illegal hostname in url' and something like
the URIBLS to catch
On Tue, 6 Feb 2007, Kenneth Porter wrote:
The latest obfuscation cleverly uses a dash, a legal domain
character, so one can no longer match based on non-domain
characters.
I think the most robust non-DNS test would be on the length of the TLD
in the obfuscated domain.
What's the longest
John D. Hardin wrote:
On Tue, 6 Feb 2007, Kenneth Porter wrote:
The latest obfuscation cleverly uses a dash, a legal domain
character, so one can no longer match based on non-domain
characters.
I think the most robust non-DNS test would be on the length of the TLD
in the obfuscated
John D. Hardin wrote:
What's the longest valid TLD these days? info at 4?
Valid gTLDs are
.aero
.biz
.cat
.com
.coop
.edu
.gov
.info
.int
.jobs
.mil
.mobi
.museum
.name
.net
.org
.pro
.travel
http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
matt
John D. Hardin wrote:
On Tue, 6 Feb 2007, Kenneth Porter wrote:
The latest obfuscation cleverly uses a dash, a legal domain
character, so one can no longer match based on non-domain
characters.
I think the most robust non-DNS test would be on the length of the TLD
in the obfuscated domain.
On Tue, Feb 06, 2007 at 06:01:50PM -0800, John D. Hardin wrote:
It doesn't matter what obfuscation character they use if you're
looking at the length of the part after the last period. I can't see
them obfuscating with periods...
Really? I could see
http://www.example.c.om/Remove the
On Tue, 6 Feb 2007, Theo Van Dinter wrote:
On Tue, Feb 06, 2007 at 06:01:50PM -0800, John D. Hardin wrote:
It doesn't matter what obfuscation character they use if you're
looking at the length of the part after the last period. I can't see
them obfuscating with periods...
Really? I
John D. Hardin wrote:
On Tue, 6 Feb 2007, Ken A wrote:
John D. Hardin wrote:
I think the most robust non-DNS test would be on the length of the TLD
in the obfuscated domain.
There are too many possible obfuscations using valid characters.
It doesn't matter what obfuscation character they
On Tue, 6 Feb 2007, Ken A wrote:
But what's the point if they simply have to move the obfuscation to the
domain part, rather than the tld? Is it worth the cost of the additional
test?
ie: http://www.swell_your_dongR.com
...which brings us back to verification via a DNS lookup.
--
John
On Tue, 2007-02-06 at 22:25 -0800, John D. Hardin wrote:
On Tue, 6 Feb 2007, Ken A wrote:
But what's the point if they simply have to move the obfuscation to the
domain part, rather than the tld? Is it worth the cost of the additional
test?
ie: http://www.swell_your_dongR.com
Nigel Frankcom wrote:
On Sat, 03 Feb 2007 07:15:39 +, Nigel Frankcom
[EMAIL PROTECTED] wrote:
body Test_01 /remove \\*|\%|\!\/i
score Test_01 4.0
describe Test_01 Test remove asterisk for URL spams
and oops #2 the | doesn't work as expected :-/
This does tho...
On Mon, 05 Feb 2007, Bowie Bailey wrote:
body Test_01 /remove \\*\/i | /remove \\%\/i | /remove \\!\/i
score Test_01 4.0 describe Test_01 Test remove asterisk for URL
spams
How about this? (untested)
body Test_01 /remove \[*%!]\/i
Since Sunday after two new obfuscation chars
On Mon, 5 Feb 2007 13:03:08 -0500 , Bowie Bailey
[EMAIL PROTECTED] wrote:
Nigel Frankcom wrote:
On Sat, 03 Feb 2007 07:15:39 +, Nigel Frankcom
[EMAIL PROTECTED] wrote:
body Test_01 /remove \\*|\%|\!\/i
score Test_01 4.0
describe Test_01 Test remove asterisk for URL spams
On Sat, 03 Feb 2007 07:15:39 +, Nigel Frankcom
[EMAIL PROTECTED] wrote:
On Sat, 03 Feb 2007 07:13:08 +, Nigel Frankcom
[EMAIL PROTECTED] wrote:
On Fri, 2 Feb 2007 21:40:32 -0500, Theo Van Dinter
[EMAIL PROTECTED] wrote:
On Fri, Feb 02, 2007 at 06:33:40PM -0800, Kenneth Porter wrote:
If
From: Theo Van Dinter [EMAIL PROTECTED]
...I'm tired of arguing.
I hear you, Theo, loud and clear.
The rule is assinine since to prevent misfires it must be too finely
focused to work after minor changes.
{^_-}
Here's the current rule:
body TVD_SILLY_URI_OBFU
m!https?://[a-z0-9-]+\.[a-z0-9-]*[^a-z0-9.:/\s'[EMAIL PROTECTED])-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
If I read this right, it looks for an illegal domain character in the
domain component after the first dot. The new pattern puts a % after the
On Fri, Feb 02, 2007 at 06:33:40PM -0800, Kenneth Porter wrote:
If I read this right, it looks for an illegal domain character in the
domain component after the first dot. The new pattern puts a % after the
second dot.
fwiw, I put in a new test version which will catch the latest
On Fri, 2 Feb 2007 21:40:32 -0500, Theo Van Dinter
[EMAIL PROTECTED] wrote:
On Fri, Feb 02, 2007 at 06:33:40PM -0800, Kenneth Porter wrote:
If I read this right, it looks for an illegal domain character in the
domain component after the first dot. The new pattern puts a % after the
second
On Sat, 03 Feb 2007 07:13:08 +, Nigel Frankcom
[EMAIL PROTECTED] wrote:
On Fri, 2 Feb 2007 21:40:32 -0500, Theo Van Dinter
[EMAIL PROTECTED] wrote:
On Fri, Feb 02, 2007 at 06:33:40PM -0800, Kenneth Porter wrote:
If I read this right, it looks for an illegal domain character in the
domain
22 matches
Mail list logo