Re: New www.medsXX.net spam

[John Hardin]

On Sun, 2009-06-21 at 23:21 +0200, mouss wrote:
> John Hardin a écrit :
>
> >/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
>
> you can replace "meds" by "(meds|shop)" to catch the "www shop95 net"
> variants.

body URI_OBFU_MEDSHOP /\(\s?w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|
org)\s?\)/

-- 
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79

Re: New www.medsXX.net spam

[mouss]

John Hardin a écrit :
> On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
>> On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
> body  AE_MEDS35  /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
>>> I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
>>> or a feature? :)
>> That depends. If the URIs are always lowercasein the spams, making the
>> RE case-insensitive doesn't help and may hurt.
>>
>>> BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
>>> \d{1,4}.
>> No, it's not. In SA, unbounded matches are hazardous and should be
>> avoided. {0,20} is safer than * and {1,20} is safer than +.
>>
>> This is not a general rule, it only applies where the text being scanned
>> is from an untrusted (and possibly actively hostile) source.
>>
>> Another improvement: add word boundaries at the beginning and end:
>>
>>   /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/
>>
>> If the parentheses in the original example are actually in the message,
>> including them will help to. Are they actually in the message?
> 
> D'oh, /me checks pastebins from first message...
> 
> Also, body rules match cleaned-up text with runs of spaces collapsed, so
> you don't need to use + or {1,...}
> 
> Try this:
> 
>/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
> 

you can replace "meds" by "(meds|shop)" to catch the "www   shop95  net"
variants.

Re: New www.medsXX.net spam

[John Hardin]

On Sat, 20 Jun 2009, Jeremy Morton wrote:


John Hardin wrote:

 D'oh, /me checks pastebins from first message...

 Also, body rules match cleaned-up text with runs of spaces collapsed,
 so you don't need to use + or {1,...}

 Try this:

 /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/


Actually, I don't know where you get that idea from; as far as I can tell, 
the SA rules are matching the original message text, not text with runs of 
spaces collapsed; so that regex doesn't work for the vast majority of those 
medsXX spams for me.  I had to modify it to this:


/\(\s*w{2,4}\s+meds\d{1,4}\s+(?:net|com|org)\s*\)/m

Which matches something like '(www 	meds30 	org)'... whereas your 
suggested one doesn't


Note I said "body rules". I did test the sample message against that rule 
before posting it. Are you using that RE in a rawbody rule?


If you want to see for yourself, put a rule like this into your test 
framework:


   body ALL_BODY /.+/
   tflags   ALL_BODY multiple

...and run a test message with lots of whitespace through it. You'll see 
exactly what body rules are trying to match against.



(first www has a space AND a tab after it).


*that* I did not specifically test against, 'ang on...

...yep, the RE I posted matches on "(www [tab] meds88   net)" when used in 
a body rule.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 14 days until the 233rd anniversary of the Declaration of Independence

Re: New www.medsXX.net spam

[Paweł Tęcza]

Dnia 2009-06-19, pią o godzinie 09:45 -0700, John Hardin pisze:
> On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
> > On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
> > >
> > > >> body   AE_MEDS35  /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
> > >
> > > I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
> > > or a feature? :)
> > 
> > That depends. If the URIs are always lowercasein the spams, making the
> > RE case-insensitive doesn't help and may hurt.

Hi John,

I could see only lowercase URIs, but I rather prefer case-insensitive
rules. Simply I don't want to get a lot of spam, because the spammer
read that thread and changed only one letter :)

> > > BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
> > > \d{1,4}.
> > 
> > No, it's not. In SA, unbounded matches are hazardous and should be
> > avoided. {0,20} is safer than * and {1,20} is safer than +.
> > 
> > This is not a general rule, it only applies where the text being scanned
> > is from an untrusted (and possibly actively hostile) source.
> > 
> > Another improvement: add word boundaries at the beginning and end:
> > 
> >   /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/

Thanks a lot for your tips! It's next valuable lesson for me today :)

> > If the parentheses in the original example are actually in the message,
> > including them will help to. Are they actually in the message?

Yes, I can see the parentheses in all the spam messages I received. But
spammers can remove them soon, of course.

> D'oh, /me checks pastebins from first message...
> 
> Also, body rules match cleaned-up text with runs of spaces collapsed, so
> you don't need to use + or {1,...}
> 
> Try this:
> 
>/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/

Yes, I noticed it when I was testing my own rule:

[1438] dbg: rules: ran body rule LOCAL_BODY_WWW_MEDSXX_NET ==> got
hit: "(www meds88 net)"

My best regards,

Pawel

Re: New www.medsXX.net spam

[John Hardin]

On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
> On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
> >
> > >> body AE_MEDS35  /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
> >
> > I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
> > or a feature? :)
> 
> That depends. If the URIs are always lowercasein the spams, making the
> RE case-insensitive doesn't help and may hurt.
> 
> > BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
> > \d{1,4}.
> 
> No, it's not. In SA, unbounded matches are hazardous and should be
> avoided. {0,20} is safer than * and {1,20} is safer than +.
> 
> This is not a general rule, it only applies where the text being scanned
> is from an untrusted (and possibly actively hostile) source.
> 
> Another improvement: add word boundaries at the beginning and end:
> 
>   /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/
> 
> If the parentheses in the original example are actually in the message,
> including them will help to. Are they actually in the message?

D'oh, /me checks pastebins from first message...

Also, body rules match cleaned-up text with runs of spaces collapsed, so
you don't need to use + or {1,...}

Try this:

   /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/

-- 
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79

Re: New www.medsXX.net spam

[John Hardin]

On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
>
> >> body   AE_MEDS35  /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
>
> I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
> or a feature? :)

That depends. If the URIs are always lowercasein the spams, making the
RE case-insensitive doesn't help and may hurt.

> BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
> \d{1,4}.

No, it's not. In SA, unbounded matches are hazardous and should be
avoided. {0,20} is safer than * and {1,20} is safer than +.

This is not a general rule, it only applies where the text being scanned
is from an untrusted (and possibly actively hostile) source.

Another improvement: add word boundaries at the beginning and end:

  /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/

If the parentheses in the original example are actually in the message,
including them will help to. Are they actually in the message?

-- 
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79

Re: [SA SPAM 1.4 ] Re: New www.medsXX.net spam

[RW]

On Fri, 19 Jun 2009 14:19:11 +0100
"Randal, Phil"  wrote:


> In this country, at least, "misspelled" belongs in that list of
> misspelt words.

It doesn't, either is fine. It's just that in British English they're
both pronounced as misspelt.   Misspelled is only an Americanism if
it's pronounced the way it's spelled.

Re: [SA SPAM 1.4 ] Re: New www.medsXX.net spam

[Paweł Tęcza]

Randal, Phil pisze:
> Paweł Tęcza wrote:

>> What's the rule for deliberately misspelled words?
>> 
>> My best regards,
>> 
>> Pawel
> 
> In this country, at least, "misspelled" belongs in that list of misspelt 
> words.
> 
> Oh, don't we all love American English?  *grin*

Hi Phil,

It's funny, isn't? :)

Sorry, if it was hurting for your pure British English ;) Simply my
typing was faster than my thinking :D

Have a nice weekend!

P.

Re: New www.medsXX.net spam

[Paweł Tęcza]

Benny Pedersen pisze:
> On Fri, June 19, 2009 11:24, Pawe? T?cza wrote:
>> Hello People,
> 
>> http://pastebin.com/m5988eed
> 
> are you sure you want email To: r...@uw.edu.pl from outside world ?
> 
> assume its the envelope recipient, if not just ignore me :)
> 
> check your aliases in mta

Hello Benny,

r...@uw.edu.pl is only alias. We have postmas...@uw.edu.pl alias too,
but there not the same aliases :)

>> http://pastebin.com/m5835257
> 
> same here To: mailer-dae...@student.uw.edu.pl is mailer-daemon one that
> works local to you ?, if no then its clearly spam bounces or non working
> remote mta

It's a next alias :)

>> http://pastebin.com/m11b07539
> 
> your mta/sa is running on ipv6 host, ipv6 is not supported very well in
> sa, thats why you get low scores
> 
>> Have a nice day,
> 
> no problem

Thanks a lot for your comments! :)

P.

Re: New www.medsXX.net spam

[Benny Pedersen]

On Fri, June 19, 2009 11:24, Pawe? T?cza wrote:
> Hello People,

> http://pastebin.com/m5988eed

are you sure you want email To: r...@uw.edu.pl from outside world ?

assume its the envelope recipient, if not just ignore me :)

check your aliases in mta

> http://pastebin.com/m5835257

same here To: mailer-dae...@student.uw.edu.pl is mailer-daemon one that
works local to you ?, if no then its clearly spam bounces or non working
remote mta

> http://pastebin.com/m11b07539

your mta/sa is running on ipv6 host, ipv6 is not supported very well in
sa, thats why you get low scores

> Have a nice day,

no problem

-- 
xpoint