Re: PHP eval()'d code
On Mon, 30 May 2016, Reindl Harald wrote: Am 30.05.2016 um 01:20 schrieb John Hardin: On Sun, 29 May 2016, Reindl Harald wrote: > Am 29.05.2016 um 23:38 schrieb John Hardin: > > On Thu, 26 May 2016, RW wrote: > > > > > I noticed that Bayes is picking-up on very strong tokens from > > "eval" and > > > "code" in headers like this: > > > > X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code > > > > The "eval()'d code" part is in just over 2% of my spam, but it's > > > never occurred in a single ham in my corpus. > > > > It doesn't do too well in masscheck: > > > > http://ruleqa.spamassassin.org/20160528-r1745852-n/__PHP_ORIG_SCRIPT_EVAL/detail > > where is the rule? https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf > if masscheck pretends that this hits a relevant amount of ham It doesn't. 3 out of 139k. so what did you want to say with "It doesn't do too well in masscheck" Few hits (either spam or ham) relative to the overall corpora (less than 6/10 of a percent for either), and the S/O isn't that good (.73). > while we see 250 sampls *at all* with a "X-PHP-Originating-Script" Here is the basic "header exists" rule for that same masscheck run: http://ruleqa.spamassassin.org/20160528-r1745852-n/__HAS_PHP_ORIG_SCRIPT/detail i see there a lot of stuff but not the rule source itself but that is only "has that header" i guess The rule source for both is in the SVN link posted above. The __HAS rule is a basic rule for "does the header exist?". The other rule is the latest change in the history: https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?r1=1741551=1745822_format=h headerCUST_PHP_EVAL X-PHP-Originating-Script =~ /eval\(\)\'d code/ score CUST_PHP_EVAL 1.5 describe CUST_PHP_EVAL Looks like from exploited webserver It hits 1595 spam and 1972 ham. Where are you getting only 250 hits for that header? in our corpus containg 9 eml files OK. My apologies, when you said "we see" I thought you were referring to the masscheck results, not your local results. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The ["assault weapons"] ban is the moral equivalent of banning red cars because they look too fast. -- Steve Chapman, Chicago Tribune --- Today: Memorial Day - honor those who sacrificed for our liberty
Re: PHP eval()'d code
Am 30.05.2016 um 01:20 schrieb John Hardin: On Sun, 29 May 2016, Reindl Harald wrote: Am 29.05.2016 um 23:38 schrieb John Hardin: On Thu, 26 May 2016, RW wrote: > I noticed that Bayes is picking-up on very strong tokens from "eval" and > "code" in headers like this: > >X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code > > The "eval()'d code" part is in just over 2% of my spam, but it's > never occurred in a single ham in my corpus. It doesn't do too well in masscheck: http://ruleqa.spamassassin.org/20160528-r1745852-n/__PHP_ORIG_SCRIPT_EVAL/detail where is the rule? https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf if masscheck pretends that this hits a relevant amount of ham It doesn't. 3 out of 139k. so what did you want to say with "It doesn't do too well in masscheck" while we see 250 sampls *at all* with a "X-PHP-Originating-Script" Here is the basic "header exists" rule for that same masscheck run: http://ruleqa.spamassassin.org/20160528-r1745852-n/__HAS_PHP_ORIG_SCRIPT/detail i see there a lot of stuff but not the rule source itself but that is only "has that header" i guess headerCUST_PHP_EVAL X-PHP-Originating-Script =~ /eval\(\)\'d code/ score CUST_PHP_EVAL 1.5 describe CUST_PHP_EVAL Looks like from exploited webserver It hits 1595 spam and 1972 ham. Where are you getting only 250 hits for that header? in our corpus containg 9 eml files signature.asc Description: OpenPGP digital signature
Re: PHP eval()'d code
On Sun, 29 May 2016, Reindl Harald wrote: Am 29.05.2016 um 23:38 schrieb John Hardin: On Thu, 26 May 2016, RW wrote: > I noticed that Bayes is picking-up on very strong tokens from "eval" and > "code" in headers like this: > >X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code > > The "eval()'d code" part is in just over 2% of my spam, but it's > never occurred in a single ham in my corpus. It doesn't do too well in masscheck: http://ruleqa.spamassassin.org/20160528-r1745852-n/__PHP_ORIG_SCRIPT_EVAL/detail where is the rule? https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf if masscheck pretends that this hits a relevant amount of ham It doesn't. 3 out of 139k. while we see 250 sampls *at all* with a "X-PHP-Originating-Script" Here is the basic "header exists" rule for that same masscheck run: http://ruleqa.spamassassin.org/20160528-r1745852-n/__HAS_PHP_ORIG_SCRIPT/detail It hits 1595 spam and 1972 ham. Where are you getting only 250 hits for that header? (with and without PHP eval()'d code" masscheck is *serious broken* not only about all the FSL_ rules making nothing more than troubles the last months -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where We Want You To Go Today 09/13/07: Microsoft patents in-OS adware architecture that incorporates monitoring and analysis of user actions and interrupting the user to display apparently relevant advertisements (U.S. Patent #20070214042) --- Tomorrow: Memorial Day - honor those who sacrificed for our liberty
Re: PHP eval()'d code
Am 29.05.2016 um 23:38 schrieb John Hardin: On Thu, 26 May 2016, RW wrote: I noticed that Bayes is picking-up on very strong tokens from "eval" and "code" in headers like this: X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code The "eval()'d code" part is in just over 2% of my spam, but it's never occurred in a single ham in my corpus. It doesn't do too well in masscheck: http://ruleqa.spamassassin.org/20160528-r1745852-n/__PHP_ORIG_SCRIPT_EVAL/detail where is the rule? if masscheck pretends that this hits a relevant amount of ham while we see 250 sampls *at all* with a "X-PHP-Originating-Script" (with and without PHP eval()'d code" masscheck is *serious broken* not only about all the FSL_ rules making nothing more than troubles the last months signature.asc Description: OpenPGP digital signature
Re: PHP eval()'d code
On Thu, 26 May 2016, RW wrote: I noticed that Bayes is picking-up on very strong tokens from "eval" and "code" in headers like this: X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code The "eval()'d code" part is in just over 2% of my spam, but it's never occurred in a single ham in my corpus. It doesn't do too well in masscheck: http://ruleqa.spamassassin.org/20160528-r1745852-n/__PHP_ORIG_SCRIPT_EVAL/detail The spams seem to be coming from exploited web-servers, and I'm wondering if it might be a symptom of the exploit. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The more you believe you can create heaven on earth the more likely you are to set up guillotines in the public square to hasten the process. -- James Lileks --- Tomorrow: Memorial Day - honor those who sacrificed for our liberty
Re: PHP eval()'d code
On Thu, 26 May 2016 17:23:21 -0500 (CDT) David B Funk wrote: > FWIW, > There's a varient of that in the "KAM.cf" ruleset from March of this > year. (Look for __KAM_BADPHP1, which is meta'ed into KAM_BADPHP) > > It doesn't hit a lot of stuff (only 0.08% ) but does have a high S/O > (0.9984) in my mail stream (over the last 2 months). Are those numbers for KAM_BADPHP or __KAM_BADPHP1? It's meta'ed with header __KAM_BADPHP2 X-Source-Args =~ /css.php/i I'm not seeing anything with that combination.
Re: PHP eval()'d code
On Thu, 26 May 2016, John Hardin wrote: On Thu, 26 May 2016, Reindl Harald wrote: Am 26.05.2016 um 20:50 schrieb RW: I noticed that Bayes is picking-up on very strong tokens from "eval" and "code" in headers like this: X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code The "eval()'d code" part is in just over 2% of my spam, but it's never occurred in a single ham in my corpus. The spams seem to be coming from exploited web-servers, and I'm wondering if it might be a symptom of the exploit looks like worth a rule to add points I've asked for samples and will add a rule based on that. FWIW, There's a varient of that in the "KAM.cf" ruleset from March of this year. (Look for __KAM_BADPHP1, which is meta'ed into KAM_BADPHP) It doesn't hit a lot of stuff (only 0.08% ) but does have a high S/O (0.9984) in my mail stream (over the last 2 months). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{ smime.p7s Description: S/MIME Cryptographic Signature
Re: PHP eval()'d code
On Thu, 26 May 2016, Reindl Harald wrote: Am 26.05.2016 um 20:50 schrieb RW: I noticed that Bayes is picking-up on very strong tokens from "eval" and "code" in headers like this: X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code The "eval()'d code" part is in just over 2% of my spam, but it's never occurred in a single ham in my corpus. The spams seem to be coming from exploited web-servers, and I'm wondering if it might be a symptom of the exploit looks like worth a rule to add points I've asked for samples and will add a rule based on that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Individual liberties are always "loopholes" to absolute authority. --- 4 days until Memorial Day - honor those who sacrificed for our liberty
Re: PHP eval()'d code
Am 26.05.2016 um 20:50 schrieb RW: I noticed that Bayes is picking-up on very strong tokens from "eval" and "code" in headers like this: X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code The "eval()'d code" part is in just over 2% of my spam, but it's never occurred in a single ham in my corpus. The spams seem to be coming from exploited web-servers, and I'm wondering if it might be a symptom of the exploit headerCUST_PHP_EVAL X-PHP-Originating-Script =~ /eval\(\)\'d code/ score CUST_PHP_EVAL 1.0 describe CUST_PHP_EVAL Looks like from exploited webservers signature.asc Description: OpenPGP digital signature
Re: PHP eval()'d code
Am 26.05.2016 um 20:50 schrieb RW: I noticed that Bayes is picking-up on very strong tokens from "eval" and "code" in headers like this: X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code The "eval()'d code" part is in just over 2% of my spam, but it's never occurred in a single ham in my corpus. The spams seem to be coming from exploited web-servers, and I'm wondering if it might be a symptom of the exploit looks like worth a rule to add points signature.asc Description: OpenPGP digital signature
PHP eval()'d code
I noticed that Bayes is picking-up on very strong tokens from "eval" and "code" in headers like this: X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code The "eval()'d code" part is in just over 2% of my spam, but it's never occurred in a single ham in my corpus. The spams seem to be coming from exploited web-servers, and I'm wondering if it might be a symptom of the exploit.