Re: In subject how to detect a word in an EVAL string?
Thank you Benny, I will use this command next time. Sergio By the way your links are very accurate, that are the spammers that sent the email, with my new rule they are On Tue, Nov 22, 2011 at 3:42 AM, Benny Pedersen wrote: > On Mon, 21 Nov 2011 22:32:42 +0100, Karsten Bräckelmann wrote: > >> >>> =?iso-8859-1?B?**LlZlbnRhIGRlIENBTkFTVEFTIE5BVk** >>> lERdFBUyAtIHB1YmyhY2kgZGFk?= >>> >> >> Not "eval", but encoded -- in this case even necessary, rather than an >> attempt at obfuscation, because it contains non ASCII letters. >> > > yep its base64 encode string between last two ? > > ?B? is the sign of mime header for base64 > > ?Q? qotedprintelble > > but use ripmime :-) > > and create rules from the output >
Re: In subject how to detect a word in an EVAL string?
On Mon, 21 Nov 2011 22:32:42 +0100, Karsten Bräckelmann wrote: =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?= Not "eval", but encoded -- in this case even necessary, rather than an attempt at obfuscation, because it contains non ASCII letters. yep its base64 encode string between last two ? ?B? is the sign of mime header for base64 ?Q? qotedprintelble but use ripmime :-) and create rules from the output
Re: In subject how to detect a word in an EVAL string?
Spammers are using a lot of different ways of using the word "publicidad", I had a few different rules to block them, but since now I saw that there was a character "¡" used an "i" and at the same time an "i " followed by an space. So, I used the .?. and it catches the "i" and the space and just in case the spamer tries to use "publi ci dad" it will be catched as well. In my RegEx editor it passes the test. About the word "publicidad" In my server not much people uses that word and that is why I can block it. Sergio 2011/11/21 Karsten Bräckelmann > On Mon, 2011-11-21 at 17:49 -0600, Sergio wrote: > > Thank you Karsten for your input. > > > > I have modified the rule to the following and is working great: > > > > header ADVERTISE_RULE8Subject =~ /publ.?.c.?.dad/i > > I see you wildcarded both instances of 'i', with an additional, optional > second char each. However, you also dropped the space in "publici dad" > as per your original rule -- intended? > > Doesn't have "publicidad" a more general meaning, too? > > > If I see there are a lot of false positives I will modify it a bit, > > but for now it is what I was looking for. > > Again, I strongly recommend to lower the score. And, of course to add a > \b word boundary at the beginning and end of the patter. > > > -- > char *t="\10pse\0r\0dtu\0.@ghno > \x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; > main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i c<<=1: > (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; > }}} > >
Re: In subject how to detect a word in an EVAL string?
On Mon, 2011-11-21 at 17:49 -0600, Sergio wrote: > Thank you Karsten for your input. > > I have modified the rule to the following and is working great: > > header ADVERTISE_RULE8Subject =~ /publ.?.c.?.dad/i I see you wildcarded both instances of 'i', with an additional, optional second char each. However, you also dropped the space in "publici dad" as per your original rule -- intended? Doesn't have "publicidad" a more general meaning, too? > If I see there are a lot of false positives I will modify it a bit, > but for now it is what I was looking for. Again, I strongly recommend to lower the score. And, of course to add a \b word boundary at the beginning and end of the patter. -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: In subject how to detect a word in an EVAL string?
Thank you Karsten for your input. I have modified the rule to the following and is working great: header ADVERTISE_RULE8Subject =~ /publ.?.c.?.dad/i describe ADVERTISE_RULE8Encripted word scoreADVERTISE_RULE811 If I see there are a lot of false positives I will modify it a bit, but for now it is what I was looking for. Regards, Sergio 2011/11/21 Karsten Bräckelmann > On Mon, 2011-11-21 at 14:46 -0600, Sergio wrote: > > I block a lot of spam searching for strings on the subject, but > > sometimes the subject in the header comes in EVAL, like this: > > Subject: > > =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?= > > Not "eval", but encoded -- in this case even necessary, rather than an > attempt at obfuscation, because it contains non ASCII letters. > > Anyway, SA *does* decode the header value by default, unless you use > the :raw qualifier. > > > > So, rules like this doesn't work: > > header ADVERTISE_RULE8Subject =~ /Publici dad/i > > It doesn't work, because one of these chars is not an 'i'. The Subject > decodes to: > .Venta de CANASTAS NAVIDE_AS - publ_ci dad > > This is actually directly extracted from SA debugging, and thus decoded > by SA. Note the underscores, which I used in place of the two non-ASCII > chars. > > Your rule does not match, because the first 'i' is not. Using the /./ > "any char" instead of it works. > > > > scoreADVERTISE_RULE811 > > That's a rather high score. And your RE sure could use some /\b/ word > boundaries at the beginning and end of the match. > > > -- > char *t="\10pse\0r\0dtu\0.@ghno > \x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; > main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i c<<=1: > (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; > }}} > >
Re: In subject how to detect a word in an EVAL string?
On Mon, 2011-11-21 at 14:46 -0600, Sergio wrote: > I block a lot of spam searching for strings on the subject, but > sometimes the subject in the header comes in EVAL, like this: > Subject: > =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?= Not "eval", but encoded -- in this case even necessary, rather than an attempt at obfuscation, because it contains non ASCII letters. Anyway, SA *does* decode the header value by default, unless you use the :raw qualifier. > So, rules like this doesn't work: > header ADVERTISE_RULE8Subject =~ /Publici dad/i It doesn't work, because one of these chars is not an 'i'. The Subject decodes to: .Venta de CANASTAS NAVIDE_AS - publ_ci dad This is actually directly extracted from SA debugging, and thus decoded by SA. Note the underscores, which I used in place of the two non-ASCII chars. Your rule does not match, because the first 'i' is not. Using the /./ "any char" instead of it works. > scoreADVERTISE_RULE811 That's a rather high score. And your RE sure could use some /\b/ word boundaries at the beginning and end of the match. -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: In subject how to detect a word in an EVAL string?
That's an excellent question. My systems receive this as well -Original Message- From: Sergio Date: Mon, 21 Nov 2011 14:46:35 To: Subject: In subject how to detect a word in an EVAL string? I block a lot of spam searching for strings on the subject, but sometimes the subject in the header comes in EVAL, like this: Subject: =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?= So, rules like this doesn't work: header ADVERTISE_RULE8Subject =~ /Publici dad/i describe ADVERTISE_RULE8Encripted word scoreADVERTISE_RULE811 Here is a copy of the full header: Received: from 50.22.109.145-static.reverse.softlayer.com ([50.22.109.145] helo=fievel.principalesperu.biz) by x with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1RSZBF-0001v0-FF for x; Mon, 21 Nov 2011 13:05:25 -0600 Received: from [190.81.230.105] (helo=microsof-c7b2c4) by fievel.principalesperu.biz with esmtpa (Exim 4.69) (envelope-from ) id 1RSZAv-0007RN-GC; Mon, 21 Nov 2011 13:05:14 -0600 Message-ID: Reply-To: =?iso-8859-1?B?Q0FOQVNUQVMgTkFWSURF0UFTXw==?= < canastasvirtual...@terra.com.pe> From: =?iso-8859-1?B?Q0FOQVNUQVMgTkFWSURF0UFTXw==?= To: Subject: =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?= Date: Mon, 21 Nov 2011 14:04:43 -0500 MIME-Version: 1.0 Content-Type: multipart/related; Type="multipart/alternative"; boundary="=_NextPart_000_0550_01CCA856.84E55E60" Is there a way to decode the subject and found the word that I need to score? Regards, Sergio Cabrera