If you have to post a spam sample, pls use pastebin and post the full msg
On 06/06/2014 11:32 PM, Philip Prindeville wrote:
We’re getting a lot of spam that contains URL’s which look like (remove the
####):
http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
Some observations… The URL’s should be fairly easy to filter against via a
regex. Anyone have some working rules they could share?
Pls note than any rule shared via lists usually looses its teeth within
a few hours .-)
The other thing is, the URL is almost always hosted by solarvps.com, in the
CIDR block 65.181.64.0/18.
Is there an easy way to do a domain lookup on the host portion of the URL and
then filter it if it’s in this subnet?
Yes, there is:
run a local A record blacklist with rbldnsd
65.181.64.0/18
and a rule like, for example:
uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2
body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL')
describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL
score YOUR_A_URIBL 5.0
tflags YOUR_A_URIBL net a
