Error 74 with spamc
When executing spamc I do not get output and the exit status is 74 (EX_IOERR: IO error). For example: $ spamc -L spam 1844399, parsed as 1844399 Oct 22 03:08:20.505 [21322] dbg: channel: current version is 1844399, new version is 1844399, skipping channel Oct 22 03:08:20.505 [21322] dbg: diag: updates complete, exiting with code 1 Update finished, no fresh updates were available -- Cecil Westerhof Senior Software Engineer LinkedIn: http://www.linkedin.com/in/cecilwesterhof
Re: Bitcoin spams
On 10/21/2018 3:15 PM, John Hardin wrote: > I've added some more bitcoin rules. > > It seems the masscheck corpus is very thin on the bitcoin extortion > spams, the rule for that probably won't publish. If anyone wants it to > put in your local rules just grab it out of my sandbox, or contact me > directly if it's not obvious how to do that. > > I've been doing a lot on these with the KAM_CRIM rule sets and testing with some charset zero width stuff in KAM.cf FYI. -- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Bitcoin spams
I've added some more bitcoin rules. It seems the masscheck corpus is very thin on the bitcoin extortion spams, the rule for that probably won't publish. If anyone wants it to put in your local rules just grab it out of my sandbox, or contact me directly if it's not obvious how to do that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If stress is going to kill me, I wish it would hurry up and get it over with. --- 570 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Bitcoin rules
On 10/21/18 4:38 PM, Henrik K wrote: On Sun, Oct 21, 2018 at 04:28:58PM +0200, Axb wrote: On 10/21/18 4:21 PM, Henrik K wrote: On Sun, Oct 21, 2018 at 04:07:40PM +0200, Axb wrote: On 10/21/18 1:25 PM, Jari Fredriksson wrote: ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf would be nice to have it write \b to the cf as in body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ Pretty sure you can manage to add it in right place :-D Didn't bother since FPs would be pretty much impossible and \b is simple to circumvent with underscores ___16LU6SwUDdL was worried that without the boundary it could hit "rawbody" of malformed ham Well it's body and not rawbody.. even using that the amount of random bits would be like winning 10 jackpots in a row.. :-) But sure, plugin could be better checks. I'm surprised__there isn't_more spam___like_this out_there to break__the million \b's rules use.. 15 min later cat /var/log/maillog | grep BTC_ | wc -l 39
Re: Bitcoin rules
On Sun, Oct 21, 2018 at 04:28:58PM +0200, Axb wrote: > On 10/21/18 4:21 PM, Henrik K wrote: > >On Sun, Oct 21, 2018 at 04:07:40PM +0200, Axb wrote: > >>On 10/21/18 1:25 PM, Jari Fredriksson wrote: > >>>./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf > >> > >>would be nice to have it write \b to the cf > >> > >>as in > >>body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ > >>body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ > > > >Pretty sure you can manage to add it in right place :-D > > > >Didn't bother since FPs would be pretty much impossible and \b is simple to > >circumvent with underscores ___16LU6SwUDdL > > > > was worried that without the boundary it could hit "rawbody" of malformed > ham Well it's body and not rawbody.. even using that the amount of random bits would be like winning 10 jackpots in a row.. :-) But sure, plugin could be better checks. I'm surprised__there isn't_more spam___like_this out_there to break__the million \b's rules use..
Re: Bitcoin rules
On 10/21/18 4:21 PM, Henrik K wrote: On Sun, Oct 21, 2018 at 04:07:40PM +0200, Axb wrote: On 10/21/18 1:25 PM, Jari Fredriksson wrote: ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf would be nice to have it write \b to the cf as in body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ Pretty sure you can manage to add it in right place :-D Didn't bother since FPs would be pretty much impossible and \b is simple to circumvent with underscores ___16LU6SwUDdL was worried that without the boundary it could hit "rawbody" of malformed ham
Re: Bitcoin rules
On Sun, Oct 21, 2018 at 04:07:40PM +0200, Axb wrote: > On 10/21/18 1:25 PM, Jari Fredriksson wrote: > >./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf > > would be nice to have it write \b to the cf > > as in > body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ > body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ Pretty sure you can manage to add it in right place :-D Didn't bother since FPs would be pretty much impossible and \b is simple to circumvent with underscores ___16LU6SwUDdL
Re: Bitcoin rules
On 10/21/18 4:07 PM, Axb wrote: On 10/21/18 1:25 PM, Jari Fredriksson wrote: ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf would be nice to have it write \b to the cf as in body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/ print "body BTC_$idshort /\\b$id\\b/$i\n";
Re: Bitcoin rules
On 10/21/18 1:25 PM, Jari Fredriksson wrote: ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf would be nice to have it write \b to the cf as in body BTC_16LU6SWU /16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ/ body BTC_16LU6SWU /\b16LU6SwUDdLsAy7XXHSMg7BRbA1kfDoBnZ\b/
Re: Bitcoin rules
> Henrik K kirjoitti 21.10.2018 kello 10.15: > > > I wonder who's going to be the first to offer public bitcoin DNS blacklist, > I could make plugin for it. :-) > > In the meantime, here's something to try.. > > ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf > > > #!/usr/bin/perl -w > > use strict; > use JSON; > use LWP::UserAgent; > > my $url = 'http://www.bitcoinabuse.com/api/reports/distinct'; > my $ua = LWP::UserAgent->new( >keep_alive => 1, agent => 'Wget/1.17.1 (linux-gnu)'); > my $json; > my %ids; > > sub parse_rule { >my $id = $_[0]->{address}; >return if $id !~ /^\w{26,35}$/; >return if defined $ids{$id}; >$ids{$id} = 1; >my $len = 8; >my $idshort = uc(substr($id, 0, $len)); >while (defined $ids{$idshort}) { >$idshort = uc(substr($id, 0, ++$len)); >} >$ids{$idshort} = 1; >my $i = $id =~ /^bc1/i ? 'i' : ''; >print "body BTC_$idshort /$id/$i\n"; >print "describe BTC_$idshort https://www.bitcoinabuse.com/reports/$id\n";; >print "score BTC_$idshort 5\n"; >print "priority BTC_$idshort 2\n"; > } > > for (my $i = 20; $i; $i--) { >my $r = $ua->get($url); >die $r->status_line unless $r->is_success; >eval { $json = decode_json($r->decoded_content); } >or die "JSON parse failed: $@\n"; >die unless $json->{data}; >parse_rule($_) foreach (@{$json->{data}}); >last unless $json->{next_page_url}; >$url = $json->{next_page_url}; >sleep(1); > } > > Thanks, testing! br. jarif
Bitcoin rules
I wonder who's going to be the first to offer public bitcoin DNS blacklist, I could make plugin for it. :-) In the meantime, here's something to try.. ./btcabuse.pl >btcabuse.cf.tmp && mv -f btcabuse.cf.tmp btcabuse.cf #!/usr/bin/perl -w use strict; use JSON; use LWP::UserAgent; my $url = 'http://www.bitcoinabuse.com/api/reports/distinct'; my $ua = LWP::UserAgent->new( keep_alive => 1, agent => 'Wget/1.17.1 (linux-gnu)'); my $json; my %ids; sub parse_rule { my $id = $_[0]->{address}; return if $id !~ /^\w{26,35}$/; return if defined $ids{$id}; $ids{$id} = 1; my $len = 8; my $idshort = uc(substr($id, 0, $len)); while (defined $ids{$idshort}) { $idshort = uc(substr($id, 0, ++$len)); } $ids{$idshort} = 1; my $i = $id =~ /^bc1/i ? 'i' : ''; print "body BTC_$idshort /$id/$i\n"; print "describe BTC_$idshort https://www.bitcoinabuse.com/reports/$id\n";; print "score BTC_$idshort 5\n"; print "priority BTC_$idshort 2\n"; } for (my $i = 20; $i; $i--) { my $r = $ua->get($url); die $r->status_line unless $r->is_success; eval { $json = decode_json($r->decoded_content); } or die "JSON parse failed: $@\n"; die unless $json->{data}; parse_rule($_) foreach (@{$json->{data}}); last unless $json->{next_page_url}; $url = $json->{next_page_url}; sleep(1); }