Re: New www.medsXX.net spam
On Sun, 2009-06-21 at 23:21 +0200, mouss wrote: > John Hardin a écrit : > > >/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/ > > you can replace "meds" by "(meds|shop)" to catch the "www shop95 net" > variants. body URI_OBFU_MEDSHOP /\(\s?w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com| org)\s?\)/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: New www.medsXX.net spam
John Hardin a écrit : > On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote: >> On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote: > body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/ >>> I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug >>> or a feature? :) >> That depends. If the URIs are always lowercasein the spams, making the >> RE case-insensitive doesn't help and may hurt. >> >>> BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and >>> \d{1,4}. >> No, it's not. In SA, unbounded matches are hazardous and should be >> avoided. {0,20} is safer than * and {1,20} is safer than +. >> >> This is not a general rule, it only applies where the text being scanned >> is from an untrusted (and possibly actively hostile) source. >> >> Another improvement: add word boundaries at the beginning and end: >> >> /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/ >> >> If the parentheses in the original example are actually in the message, >> including them will help to. Are they actually in the message? > > D'oh, /me checks pastebins from first message... > > Also, body rules match cleaned-up text with runs of spaces collapsed, so > you don't need to use + or {1,...} > > Try this: > >/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/ > you can replace "meds" by "(meds|shop)" to catch the "www shop95 net" variants.
Re: New www.medsXX.net spam
On Sat, 20 Jun 2009, Jeremy Morton wrote: John Hardin wrote: D'oh, /me checks pastebins from first message... Also, body rules match cleaned-up text with runs of spaces collapsed, so you don't need to use + or {1,...} Try this: /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/ Actually, I don't know where you get that idea from; as far as I can tell, the SA rules are matching the original message text, not text with runs of spaces collapsed; so that regex doesn't work for the vast majority of those medsXX spams for me. I had to modify it to this: /\(\s*w{2,4}\s+meds\d{1,4}\s+(?:net|com|org)\s*\)/m Which matches something like '(www meds30 org)'... whereas your suggested one doesn't Note I said "body rules". I did test the sample message against that rule before posting it. Are you using that RE in a rawbody rule? If you want to see for yourself, put a rule like this into your test framework: body ALL_BODY /.+/ tflags ALL_BODY multiple ...and run a test message with lots of whitespace through it. You'll see exactly what body rules are trying to match against. (first www has a space AND a tab after it). *that* I did not specifically test against, 'ang on... ...yep, the RE I posted matches on "(www [tab] meds88 net)" when used in a body rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 14 days until the 233rd anniversary of the Declaration of Independence
Re: New www.medsXX.net spam
Dnia 2009-06-19, pią o godzinie 09:45 -0700, John Hardin pisze: > On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote: > > On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote: > > > > > > >> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/ > > > > > > I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug > > > or a feature? :) > > > > That depends. If the URIs are always lowercasein the spams, making the > > RE case-insensitive doesn't help and may hurt. Hi John, I could see only lowercase URIs, but I rather prefer case-insensitive rules. Simply I don't want to get a lot of spam, because the spammer read that thread and changed only one letter :) > > > BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and > > > \d{1,4}. > > > > No, it's not. In SA, unbounded matches are hazardous and should be > > avoided. {0,20} is safer than * and {1,20} is safer than +. > > > > This is not a general rule, it only applies where the text being scanned > > is from an untrusted (and possibly actively hostile) source. > > > > Another improvement: add word boundaries at the beginning and end: > > > > /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/ Thanks a lot for your tips! It's next valuable lesson for me today :) > > If the parentheses in the original example are actually in the message, > > including them will help to. Are they actually in the message? Yes, I can see the parentheses in all the spam messages I received. But spammers can remove them soon, of course. > D'oh, /me checks pastebins from first message... > > Also, body rules match cleaned-up text with runs of spaces collapsed, so > you don't need to use + or {1,...} > > Try this: > >/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/ Yes, I noticed it when I was testing my own rule: [1438] dbg: rules: ran body rule LOCAL_BODY_WWW_MEDSXX_NET ==> got hit: "(www meds88 net)" My best regards, Pawel
Re: New www.medsXX.net spam
On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote: > On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote: > > > > >> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/ > > > > I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug > > or a feature? :) > > That depends. If the URIs are always lowercasein the spams, making the > RE case-insensitive doesn't help and may hurt. > > > BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and > > \d{1,4}. > > No, it's not. In SA, unbounded matches are hazardous and should be > avoided. {0,20} is safer than * and {1,20} is safer than +. > > This is not a general rule, it only applies where the text being scanned > is from an untrusted (and possibly actively hostile) source. > > Another improvement: add word boundaries at the beginning and end: > > /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/ > > If the parentheses in the original example are actually in the message, > including them will help to. Are they actually in the message? D'oh, /me checks pastebins from first message... Also, body rules match cleaned-up text with runs of spaces collapsed, so you don't need to use + or {1,...} Try this: /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: New www.medsXX.net spam
On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote: > > >> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/ > > I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug > or a feature? :) That depends. If the URIs are always lowercasein the spams, making the RE case-insensitive doesn't help and may hurt. > BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and > \d{1,4}. No, it's not. In SA, unbounded matches are hazardous and should be avoided. {0,20} is safer than * and {1,20} is safer than +. This is not a general rule, it only applies where the text being scanned is from an untrusted (and possibly actively hostile) source. Another improvement: add word boundaries at the beginning and end: /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/ If the parentheses in the original example are actually in the message, including them will help to. Are they actually in the message? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: [SA SPAM 1.4 ] Re: New www.medsXX.net spam
On Fri, 19 Jun 2009 14:19:11 +0100 "Randal, Phil" wrote: > In this country, at least, "misspelled" belongs in that list of > misspelt words. It doesn't, either is fine. It's just that in British English they're both pronounced as misspelt. Misspelled is only an Americanism if it's pronounced the way it's spelled.
Re: [SA SPAM 1.4 ] Re: New www.medsXX.net spam
Randal, Phil pisze: > Paweł Tęcza wrote: >> What's the rule for deliberately misspelled words? >> >> My best regards, >> >> Pawel > > In this country, at least, "misspelled" belongs in that list of misspelt > words. > > Oh, don't we all love American English? *grin* Hi Phil, It's funny, isn't? :) Sorry, if it was hurting for your pure British English ;) Simply my typing was faster than my thinking :D Have a nice weekend! P.
Re: New www.medsXX.net spam
Benny Pedersen pisze: > On Fri, June 19, 2009 11:24, Pawe? T?cza wrote: >> Hello People, > >> http://pastebin.com/m5988eed > > are you sure you want email To: r...@uw.edu.pl from outside world ? > > assume its the envelope recipient, if not just ignore me :) > > check your aliases in mta Hello Benny, r...@uw.edu.pl is only alias. We have postmas...@uw.edu.pl alias too, but there not the same aliases :) >> http://pastebin.com/m5835257 > > same here To: mailer-dae...@student.uw.edu.pl is mailer-daemon one that > works local to you ?, if no then its clearly spam bounces or non working > remote mta It's a next alias :) >> http://pastebin.com/m11b07539 > > your mta/sa is running on ipv6 host, ipv6 is not supported very well in > sa, thats why you get low scores > >> Have a nice day, > > no problem Thanks a lot for your comments! :) P.
Re: New www.medsXX.net spam
On Fri, June 19, 2009 11:24, Pawe? T?cza wrote: > Hello People, > http://pastebin.com/m5988eed are you sure you want email To: r...@uw.edu.pl from outside world ? assume its the envelope recipient, if not just ignore me :) check your aliases in mta > http://pastebin.com/m5835257 same here To: mailer-dae...@student.uw.edu.pl is mailer-daemon one that works local to you ?, if no then its clearly spam bounces or non working remote mta > http://pastebin.com/m11b07539 your mta/sa is running on ipv6 host, ipv6 is not supported very well in sa, thats why you get low scores > Have a nice day, no problem -- xpoint