>For example:
>http://www.sender.com/0x9A3F0800CEBF9E37 will PASS but
>http://0x9A3F0800CEBF9E37/subpage/page will FAIL
If it would be sooooo.... simple!
This is the used regular expression:
(?:
(?:(?i:[\=\%][46]8|\&\#(?:0?72|104)\;?|h)
(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)
|(?i:[\=\%][46]6|\&\#(?:0?70|102)\;?|f))
(?i:[\=\%][57]4|\&\#(?:0?84|116)\;?|t)
(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)
(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?
|
(?:
(?i:[\=\%][57]0|\&\#(?:0?80|112)\;?|p)
(?i:[\=\%][57]5|\&\#(?:0?85|117)\;?|u)
(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r)
(?i:[\=\%][57]2|\&\#(?:0?82|114)\;?|r)
(?i:[\=\%][57]3|\&\#(?:0?83|115)\;?|s)?
)
)
(?:[\=\%]3[aA]|\&\#0?58\;?|\:)
(?:[\=\%]2[fF]|\&\#0?47\;?|\/){2}
(?:[^\@]*?(?:\@|[=%]40|\&\#0?64\;?))?
(?:(?:(?:=|\%|(?:0|\&\#)[xX])[0-9a-fA-F]+|(?:\&\#|\\)?\d+);?)
(?:(?:[\=\%]2[eE]|\&\#0?46\;?|\.)
|
(?:[\=\%]3[aA]|\&\#0?58\;?|\:){1,2})?)+[^\.\w\@]
I think I found the reason for the match - and the next release will try
to fix this.
BUT for me , this URI looks very obfuscated - why?
1. it uses an unknown protocol parameter in a GET value (s=) : gusqr://
2. it uses an unknown hostname there: qkvr.hnpfmd.dnn
3 in t= it uses: 2@031-040 - a username followed by an @ and an octal
number range
For me this looks like: "if you have my trojan available - nice, I'll
start it now"
This gives me the idea, to make this check much more restrictive in
future. So you'll have the problem again in some time.
Thomas
Von: K Post <nntp.p...@gmail.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 23.12.2016 16:16
Betreff: [Assp-test] URIBL: fail, very strong obfuscated IP found
in URI
In reviewing our block reports, I'm seeing a handful of legitimate mail
being rejected due to:
URIBL: fail, very strong obfuscated IP found in URI
I don't know enough about this technique to know for sure, but these
messages all seem to have URL's in them with tracking codes (I assume)
built in and I think that's what's triggering the erroneous catch. For
example:
http://etrack.thesender.com/t/ccbbaLT6QADKsHAuHEfaBFQA1CHQK42aaaa?t=2@031-040&f=esdfcpmgdseobebbbm_jx.Zocinscem.dnn&k=C2w&w=&s=gusqr://qkvr.hnpfmd.dnn/+esdccpmgdseerobfbbkm/opr1r
thesender.com (example here) is a the domain of a good company that the
recipient does business with and the email is legitimate.
I just disabled URIBLNoObfuscated to stop this problem, but we would like
to disable obfuscated hostnames or ip's.
I don't know if this is a good idea, but could the detection code be
tweaked to ignore "very strong" obfuscation unless it's in the hostname
part of a URL? For example:
http://www.sender.com/0x9A3F0800CEBF9E37 will PASS but
http://0x9A3F0800CEBF9E37/subpage/page will FAIL
As always, thanks.
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform
today.http://sdm.link/intel_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
