Re: [NEW SPAM FLOOD] www.shopXX.net

[Michelle Konzack]

Good morning *,

Am 2009-08-04 13:51:24, schrieb Jason L Tibbitts III:
> > "DS" == Dan Schaefer  writes:
> 
> DS> I'm glad to see this SPAM traffic has come to a halt. At least on my
> DS> mail server...
> 
> Yes, I haven't seen any of those spams since the morning of the 31st.
> My servers were rejecting them like mad right up until that point in
> time (10:30CDT), and then nothing.

I have seen exactly the same, I was hit by more then 200.000  spams  per
day of this kind and had a relative  high  CPU  load  (>4)  on  my  five
servers "Sun Fire X4100M2" and it was more or less gone from one hour to
another...

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator

Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   c/o Vertriebsp. KabelBW
   Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de   77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: [NEW SPAM FLOOD] www.shopXX.net

[Jason L Tibbitts III]

> "DS" == Dan Schaefer  writes:

DS> I'm glad to see this SPAM traffic has come to a halt. At least on my
DS> mail server...

Yes, I haven't seen any of those spams since the morning of the 31st.
My servers were rejecting them like mad right up until that point in
time (10:30CDT), and then nothing.

 - J<

Re: [NEW SPAM FLOOD] www.shopXX.net

[Michelle Konzack]

Hi Dan and *,

Am 2009-08-04 14:37:46, schrieb Dan Schaefer:
> I'm glad to see this SPAM traffic has come to a halt. At least on my  
> mail server...

They have seen, the out spamassassin is working verry efficient.  I  get
only one or two spams per day...  which are catched by SA of course.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   c/o Vertriebsp. KabelBW
   Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de   77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: [NEW SPAM FLOOD] www.shopXX.net

[Dan Schaefer]

I'm glad to see this SPAM traffic has come to a halt. At least on my 
mail server...


--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Kevin Parris]

(apologies for top posting, but the email software here does not really do 
quoting in a way that works out well otherwise)

If your mail contains SpamAssassin headers then it was (obviously) processed 
through SpamAssassin.  Just because you have BL checks in your MTA does not 
necessarily mean that all spam items will be blocked at that level.  Lots of 
spam can pass some BL checks and then be scored high as the result of other 
things.

My comments were not meant to say that BL checks stop spam.  I was responding 
specifically to your inquiry about a rule being 'overlooked' if there happened 
to be a message it would hit that also had something in it that would hit a 
blacklist too.  I think you're reading too much complexity into things.  Or 
maybe not enough.

The basic idea is something like this:

 a) You have some stuff specified for Postfix to do, it starts doing those 
things, and if it gets through them (without deciding to reject the message) to 
the point where you specify a call to SA, then it passes the item to SA for 
scoring.

 b)  SA applies the rules (which usually include querying various blacklists 
based on things found within the message) and tallies up the score, then it 
gives the results to whatever asked it to analyze the message.

 c)  Then whatever that was (in your case, Postfix) looks at the results and 
decides what to do next, based on what you specified for it.

SpamAssassin does not block mail.  SpamAssassin analyzes a message and assigns 
a score.   Mail handlers reject/quarantine/discard/deliver mail.  SpamAssassin 
is not a mail handler.

If you don't understand the effects of entries in your Postfix configuration, 
you probably will get better assistance in a Postfix-specific forum.

>>> Dan Schaefer  07/23/09 10:22 AM >>>

> It means that if you were using BL at MTA level your SA might never have seen 
> the message at all.
>
> No your rule would not be "overlooked" 'because the site is in a blacklist' 
> *unless* you were using the BL in your MTA and rejected the transaction from 
> a blacklisted IP address and, thus, never submitted it to SA at all.
>
>   
If this is the case, then why does my email have the X-* headers in it? I have 
nothing in my postfix header_checks to discard the BL rules. Does anyone have a 
detailed flow chart of SA/postfix setup and describes blacklisting? Or even a 
webpage describing the process?

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Thu, 23 Jul 2009, Dan Schaefer wrote:

> >   Are you quite sure that an upstream copy of SA, e.g. in your ISP 
> >   or at a sender site that scans for outgoing spam, hasn't already 
> >   added X-* headers to the message?
> 
>  No. Is that even possible to track down?


 There would probably be an X-Spam-Checker-Version header in your
 inbound mail stream.


X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on 
pony.performanceadmin.com


That is my server.


You'd have to check for that _before_ your local SA got a crack at the 
message. Whether you can grab a copy of mail before SA depends on your 
glue.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Win95: Where do you want to go today?
  Vista: Where will Microsoft allow you to go today?
---
 12 days since a sunspot last seen - EPA blames CO2 emissions

Re: [NEW SPAM FLOOD] www.shopXX.net

[Martin Gregorie]

On Thu, 2009-07-23 at 12:25 -0400, Dan Schaefer wrote:
> > Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a
> > sender site that scans for outgoing spam, hasn't already added X-*
> > headers to the message?
> >
> >
> > Martin
> >
> >   
> No. Is that even possible to track down?
> 
Sure - look at any incoming message's headers to see if there are any
that didn't come from your copy of SA. Each set has a
X-spam-checker-version header that gives the name of the SA host that
added that header set. If that's a possibility, just make sure your
filter ignores header sets that aren't yours. AFAIK your SA header set
it always the first in the message headers.


Martin
 

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Thu, 23 Jul 2009, Dan Schaefer wrote:


 Are you quite sure that an upstream copy of SA, e.g. in your ISP or at
 a sender site that scans for outgoing spam, hasn't already added X-*
 headers to the message?


No. Is that even possible to track down?


There would probably be an X-Spam-Checker-Version header in your inbound 
mail stream.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Perfect Security and Absolute Safety are unattainable; beware
  those who would try to sell them to you, regardless of the cost,
  for they are trying to sell you your own slavery.
---
 12 days since a sunspot last seen - EPA blames CO2 emissions

Re: [NEW SPAM FLOOD] www.shopXX.net

[Dan Schaefer]

 Are you quite sure that an upstream copy of SA, e.g. in your ISP or at
 a sender site that scans for outgoing spam, hasn't already added X-*
 headers to the message?


No. Is that even possible to track down?


There would probably be an X-Spam-Checker-Version header in your 
inbound mail stream.


X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on 
pony.performanceadmin.com


That is my server.

--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Dan Schaefer]

Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a
sender site that scans for outgoing spam, hasn't already added X-*
headers to the message?


Martin

  

No. Is that even possible to track down?

--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Martin Gregorie]

Dan Schaefer wrote:
>
> If this is the case, then why does my email have the X-* headers in 
> it? I have nothing in my postfix header_checks to discard the BL 
> rules. Does anyone have a detailed flow chart of SA/postfix setup and 
> describes blacklisting? Or even a webpage describing the process?
> 
Are you quite sure that an upstream copy of SA, e.g. in your ISP or at a
sender site that scans for outgoing spam, hasn't already added X-*
headers to the message?


Martin

Re: [NEW SPAM FLOOD] www.shopXX.net

[Charles Gregory]

On Wed, 22 Jul 2009, Dan Schaefer wrote:

For those of you that manage these rules,
URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this 
email as spam

http://pastebin.com/m40f7cff4


The URI is not obfuscated, therefore it triggered the URIBL tests 
properly (and scored 3 additional points from them).


- C

Re: [NEW SPAM FLOOD] www.shopXX.net

[Bowie Bailey]

Dan Schaefer wrote:


It means that if you were using BL at MTA level your SA might never 
have seen the message at all.


No your rule would not be "overlooked" 'because the site is in a 
blacklist' *unless* you were using the BL in your MTA and rejected 
the transaction from a blacklisted IP address and, thus, never 
submitted it to SA at all.


  
If this is the case, then why does my email have the X-* headers in 
it? I have nothing in my postfix header_checks to discard the BL 
rules. Does anyone have a detailed flow chart of SA/postfix setup and 
describes blacklisting? Or even a webpage describing the process?


It's very simple with Postfix or any other MTA.

1) Connection request comes to Postfix.
2) Postfix checks the sending server against its blacklists.  If it 
matches, the mail is refused.
3) Postfix checks its normal rules and if the sender/recipient/etc is 
ok, the message is accepted.

4) Postfix sends the message to SA.
5) SA scores the message and returns it to Postfix (SA blacklists simply 
score 100 points).
6) Postfix can now deliver, quarantine or delete the message based on 
the score or spam/ham designation returned by SA.


--
Bowie

Re: [NEW SPAM FLOOD] www.shopXX.net

[Dan Schaefer]

It means that if you were using BL at MTA level your SA might never have seen 
the message at all.

No your rule would not be "overlooked" 'because the site is in a blacklist' 
*unless* you were using the BL in your MTA and rejected the transaction from a 
blacklisted IP address and, thus, never submitted it to SA at all.

  
If this is the case, then why does my email have the X-* headers in it? 
I have nothing in my postfix header_checks to discard the BL rules. Does 
anyone have a detailed flow chart of SA/postfix setup and describes 
blacklisting? Or even a webpage describing the process?


--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Dan Schaefer]

>For those of you that manage these rules,
>URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this 
email as spam


I'm up to AE_MED45, so I wouldn't expect AE_MEDS38 and 39 to be 
hitting anything currently.


>http://pastebin.com/m40f7cff4

This is not an obfuscated domain.  You can see that it hit two URIBLs 
- JP and WS.  I would have expected it to be in URIBL_BLACK (or at 
least GOLD) as well as Invaluement's URIBL.  There are plenty of 
mechanisms to catch valid URIs - that's not the purpose of the 
obfuscation rules.


And, you still got 15 points - so, what's the problem?

Relax. I don't have a problem. I was just pointing out a potential flaw. 
I was just trying to help out. I just misunderstood the whole blacklist 
thing, that's all.


--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Daniel J McDonald]

On Thu, 2009-07-23 at 07:34 +0100, rich...@buzzhost.co.uk wrote:
> It's catching on :-)

this new obfuscation is already caught by AE_MED45, but I can foresee a
variant that might not match...

How about:

body__MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{0,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)[[:punct:]]?\b/i
body__MED_NOT_OB/\bw{2,3}\.[[:alpha:]]{0,6}\d{2,6}\.(?:com|net|org)\b/i
metaAE_MED46(__MED_OB && ! __MED_NOT_OB)
describeAE_MED46Shorter rule to catch spam obfuscation
score   AE_MED464.0

-- 
Dan McDonald, CCIE #2495, CISSP# 78281, CNX
www.austinenergy.com

Re: [NEW SPAM FLOOD] www.shopXX.net

[Kevin Parris]

It means that if you were using BL at MTA level your SA might never have seen 
the message at all.

No your rule would not be "overlooked" 'because the site is in a blacklist' 
*unless* you were using the BL in your MTA and rejected the transaction from a 
blacklisted IP address and, thus, never submitted it to SA at all.

And those rules did not hit on the message because there isn't anything in 
there that they are designed to find.  It does not represent another variation 
on the theme. But since there is a lot of other stuff that other rules did hit 
on, why are you worrying so much about just these few?

>>> Dan Schaefer  07/22/09 3:56 PM >>>
Benny Pedersen wrote:
> On Wed, July 22, 2009 21:39, Dan Schaefer wrote:
>   
>> For those of you that manage these rules,
>> URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email 
>> as spam
>> http://pastebin.com/m40f7cff4 
>> 
>
> reject it with rbl testing in mta, and its found in blacklist, reason it not 
> found in obfu is that its not obfu :)
>
>   
Does this mean that if I have a custom rule to search for exactly the 
"via" site, my rule will be overlooked because the site is in a blacklist?

-- 
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[McDonald, Dan]

>From: Dan Schaefer [mailto:d...@performanceadmin.com]

>For those of you that manage these rules,
>URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as 
>spam

I'm up to AE_MED45, so I wouldn't expect AE_MEDS38 and 39 to be hitting 
anything currently.

>http://pastebin.com/m40f7cff4

This is not an obfuscated domain.  You can see that it hit two URIBLs - JP and 
WS.  I would have expected it to be in URIBL_BLACK (or at least GOLD) as well 
as Invaluement's URIBL.  There are plenty of mechanisms to catch valid URIs - 
that's not the purpose of the obfuscation rules.

And, you still got 15 points - so, what's the problem?

--
Dan

Re: [NEW SPAM FLOOD] www.shopXX.net

[Benny Pedersen]

On Wed, July 22, 2009 21:56, Dan Schaefer wrote:
> Does this mean that if I have a custom rule to search for exactly the
> "via" site, my rule will be overlooked because the site is in a blacklist?

what problem ?

-- 
xpoint

Re: [NEW SPAM FLOOD] www.shopXX.net

[Dan Schaefer]

Benny Pedersen wrote:

On Wed, July 22, 2009 21:39, Dan Schaefer wrote:
  

For those of you that manage these rules,
URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as 
spam
http://pastebin.com/m40f7cff4



reject it with rbl testing in mta, and its found in blacklist, reason it not 
found in obfu is that its not obfu :)

  
Does this mean that if I have a custom rule to search for exactly the 
"via" site, my rule will be overlooked because the site is in a blacklist?


--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Benny Pedersen]

On Wed, July 22, 2009 21:39, Dan Schaefer wrote:
> For those of you that manage these rules,
> URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as 
> spam
> http://pastebin.com/m40f7cff4

reject it with rbl testing in mta, and its found in blacklist, reason it not 
found in obfu is that its not obfu :)

-- 
xpoint

Re: [NEW SPAM FLOOD] www.shopXX.net

[Dan Schaefer]

For those of you that manage these rules,
URI_OBFU_X9_WS, URI_OBFU_WWW, AE_MEDS38, AE_MEDS39 did not mark this email as 
spam

http://pastebin.com/m40f7cff4


--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Benny Pedersen]

On Wed, July 22, 2009 13:16, twofers wrote:
> "Because we CAN'T."

Obama says "yes we can" :)

> My point exactly. No matter what, with the current system of internet email,

just becurse main stream spammers is so clueless that thay start using 
recipient equal to sender evelope says thay newer got used
to spf ?

> SPAM will never be stopped or filtered out completely.

wroung

> A completely new concept of verifying internet email would be required for 
> that and unfortunately,

as in dkim/spf no ?

> that will never happen simply because "It's all about the money"

spf and dkim is gpl

> and as far as this is concerned, it generates a revenue stream,

where ?

> it generates new technologies concepts and tax revenue.

where ?

> The governments not going to stifle that,

do governments use spf/dkim ?

> the government is going to allow the industry to regulate itself,

good :)

> one way or the otheras long as it generates revenues and taxes.

who gets the money ?

> It's simply Capitalism at work.

just stop paying

> SPAM email will never be completely eliminated,

wroung, we can close our email box also

> it will only, ever just be minimized based on the current system.

ah you now admit we can win ?

> False positives, a fact of filtering that beckon for refinement,

imho there is none if recipient add "friends" to his address book, and that 
addressbook is dumped to whitelist_auth in sa

> for tweaking and for precise detailing of the filters rules.

we already have to many rules in sa imho, it turns down to sender is known or 
not :/

> Even our "Good Ideas" are not fallible. Without the SPAMMERS knowledge of the 
> rules,

start thinking more on what spammers cant do for us might be the route to stop 
spammers for just get a bunch of new meds domains
with numbers in end, start using url that whitelist, but only apply white if 
there is no other url !

> they are static and complacent. With the SPAMMERS knowledge of the rules,

you belive that spammers using sa to test the spam runs ?, if yes why do i see 
80% spam mails get rejected with spf testing alone ?

> they are dynamic, correctable, upgradeable and ever so more restrictive and 
> precise over time,

well its maybe currect that clever spammers can find another way of being 
clueless when using sa to test there spam goals, but it
will not make most sa installs not detect it as spam, bayes can cougt anything

> designed to extract precisely a balance between the legitimate and non 
> legitimate.

bayes working

> We can't fine-tune anything if we do not have a means of measuring our 
> requirements.

currect, but if we make sure sender is not forged, and whitelist known senders, 
this is a start, if this is not done we have more
complex work to do before its possible to stop spam

also why there is so much new rules to stop new spam, its endless :/

> Eventually the SA rules will refine themselves to a precision that will be 
> virtually impregnable by SPAMMERS.

dkim is nice, but it creates lots of load to test this in mta since we need to 
recieve whole email before dkim testing can be
tested :/

thats why is say go to spf

> The sooner that happens the better and it will happen sooner as the SPAMMERS 
> show us their means and they are adapted
> to our requirements. I'm sure the "powers that be" who make SA public as it 
> is did so for a reason,

its made public so any antispam users can commit rules to fight spammers where 
it hurts :)

> or were not expressly concerned over it's exposure.

maybe

> There is nothing the SPAMMERS can send that can't be filtered to a high 
> degree.

exactly

> It's not about eliminating, it's about minimizing.

agree

-- 
xpoint

Re: [NEW SPAM FLOOD] www.shopXX.net

[twofers]

Charles,
"Because we CAN'T."
My point exactly. No matter what, with the current system of internet email, 
SPAM will never be stopped or filtered out completely. A completely new concept 
of verifying internet email would be required for that and unfortunately, that 
will never happen simply because "It's all about the money" and as far as this 
is concerned, it generates a revenue stream, it generates new technologies 
concepts and tax revenue. The governments not going to stifle that, the 
government is going to allow the industry to regulate itself, one way or the 
otheras long as it generates revenues and taxes. It's simply Capitalism at 
work.
SPAM email will never be completely eliminated, it will only, ever just be 
minimized based on the current system.
False positives, a fact of filtering that beckon for refinement, for tweaking 
and for precise detailing of the filters rules.
Even our "Good Ideas" are not fallible. Without the SPAMMERS knowledge of the 
rules, they are static and complacent. With the SPAMMERS knowledge of the 
rules, they are dynamic, correctable, upgradeable and ever so more restrictive 
and precise over time, designed to extract precisely a balance between the 
legitimate and non legitimate.
We can't fine-tune anything if we do not have a means of measuring our 
requirements. Eventually the SA rules will refine themselves to a precision 
that will be virtually impregnable by SPAMMERS. The sooner that happens the 
better and it will happen sooner as the SPAMMERS show us their means and they 
are adapted to our requirements.
I'm sure the "powers that be" who make SA public as it is did so for a reason, 
or were not expressly concerned over it's exposure.
There is nothing the SPAMMERS can send that can't be filtered to a high degree. 
It's not about eliminating, it's about minimizing.
On Tue, 21 Jul 2009, twofers wrote:
>  so why not let them show us what they've got, show us where we need to 
> make adjustments and corrections and in turn we will continue to refine our 
> process, ever so more, squeezing them out...inch by inch.  

Because we CAN'T. While the spammers are free to try ANY obfuscation or 
filter-dodging technique imaginable, we are always constrained to avoid false 
positives. So any time we share our 'good ideas' with them, they come closer to 
their 'goal' of finding the 'perfect' way to spam that we cannot filter...

And as a side note, I've noticed that I might have a rule in place, like my 
original, simple 'shopXX' rule, and it worked for me for a couple of weeks, 
until people started posting rules for it here. Then the more-complex 
obfuscations started
And we started correcting and upgrading and fine tuning our rules to meet those 
new requirements...all the while, the SPAMMERS were shooting themselves in the 
foot as far as their click rates were concernedclick rates their customers 
use to validate their expenses for that form of advertisement
I would venture to say that the SPAMMERS were "grasping" or otherwise just 
plain "teasing" as their return on investment was going straight into the 
toilet.Wes


  

Re: [NEW SPAM FLOOD] www.shopXX.net

[Charles Gregory]

Sometimes I wished everyone getting involved in heated discussions and
proposals, also would carefully read any post with a related topic...
I did leak the other day, that I actually am hacking such a beast.


Sorry. Sometimes the mailbox overload is a bit much, and I just have to 
delete things which 'seem' outside the central topics I'm following.

Still very glad to hear that something is in the works... :)


It works, but there's still some things to re-write properly. Stay
tuned. I'll announce it, when it is reasonably safe to use. Just be a
little bit patient, will ya? ;)


(smile) Thanks.

- charles

Re: [NEW SPAM FLOOD] www.shopXX.net

[Karsten Bräckelmann]

Sometimes I wished everyone getting involved in heated discussions and
proposals, also would carefully read any post with a related topic...


On Tue, 2009-07-21 at 11:29 -0400, Charles Gregory wrote:
> Further to my original post, I haven't read all of today's mail yet, but

FWIW, neither did I, as I am busy hacking -- and now live. ;)

> Original request:
> >  I strongly urge the spamassassin develpopers to consider ways to 
> > 'open up' the way that we can specify what SA will 'consider' a URI, or 
> > to be able to 'capture' a value from an obfuscation test, manipulate it 
> > into its 'original' URI and then 'manually' submit it to the URIBL

I did leak the other day, that I actually am hacking such a beast.

It works, but there's still some things to re-write properly. Stay
tuned. I'll announce it, when it is reasonably safe to use. Just be a
little bit patient, will ya? ;)

I was brief about this topic before, and I won't mention any details
today either. The above should be clear enough.

  guenther


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: [NEW SPAM FLOOD] www.shopXX.net

[Charles Gregory]

On Tue, 21 Jul 2009, twofers wrote:
 so why not let them show us what they've got, show us where we 
need to make adjustments and corrections and in turn we will continue to 
refine our process, ever so more, squeezing them out...inch by inch.  


Because we CAN'T. While the spammers are free to try ANY obfuscation or 
filter-dodging technique imaginable, we are always constrained to avoid 
false positives. So any time we share our 'good ideas' with them, they 
come closer to their 'goal' of finding the 'perfect' way to spam that we 
cannot filter...


And as a side note, I've noticed that I might have a rule in place, like 
my original, simple 'shopXX' rule, and it worked for me for a couple of 
weeks, until people started posting rules for it here. Then the 
more-complex obfuscations started


Further to my original post, I haven't read all of today's mail yet, but
I suspec there is not an answer yet to this question, but I wish to 
reiterate it, with a further comment. The comment is that I was looking at 
plugins and noticed that there was one to follow URI's that appear to be
redirects, and 'add' the target URI to the internal list of URI's to be 
run through the URIBL. I tried to look at the script to see if I could 
modify it to my purpose, but just can't figure it out. (sigh)


But it would be a good starting basis for the plugin I am hoping to see.

Original request:
 I strongly urge the spamassassin develpopers to consider ways to 
'open up' the way that we can specify what SA will 'consider' a URI, or 
to be able to 'capture' a value from an obfuscation test, manipulate it 
into its 'original' URI and then 'manually' submit it to the URIBL


Example hypothetical syntax (note that some parentheses are *capturing*):

body FINDURI /(www)(?:obfuscation)(domain)(?:obfuscation)(com|net|org)/i
uribl CHECKIT /$1.$2.$3/

Basically, allow a rule to 'capture' one or more 'matches' in Perl
variables, and then feed them to a subsequent rule (in this case, a manual
URIBL lookup). This way, the SA developers don't have to hard-code an
ever-changing set of "URI detection rules" into the core code, but we can
still develop on-the-fly rules that can feed a URI to the URIBL tests

I've heard people mention 'plugins'. Could I code one that would be
easily 'modifiable' so that (for example) this morning's '[dot]' trick can
be quickly added to my plugin? Is there a good working example of a plugin
that extracts text from a message and feeds it to a URI? I'll work on this!



- C

Re: [NEW SPAM FLOOD] www.shopXX.net

[twofers]

Charles,
 
Although I understand your reservations, I feel in this case that it's best to 
lay it all out there and give it to them, let them do what they do. In my mind 
it's nothing more than "Flushing" out the best they can offer and finding the 
loopholes, and closing them up.
 
There are more rules/ways to stop them than they have to defeat the rules and 
scoring process, so why not let them show us what they've got, show us where we 
need to make adjustments and corrections and in turn we will continue to refine 
our process, ever so more, squeezing them out...inch by inch.
 
We will accomplish that goal much quicker if the spammers show us whereall our 
faults lie.
 
Wes
 
On Wed, 15 Jul 2009, MrGibbage wrote:
> I wonder if the spammers are reading this forum.  That seemed awful fast.

I'm sure they do. But I also suspect that they have a simple 'feedback' 
mechanism that let's them know how much of their spew is getting rejected
on their botnets, and when the rejection numbers get too high they try 
something new, and keep trying until the rejection numbers drop again.

Then we fix our rules, the rejections go up, and they look for yet another 
'trick' to get through. They have the advantage of being able to download their 
own copies of spamassassin to 'test' their spew. That's why sometimes you get 
'red herrings' from me on this list when I don't share the full details of a 
rule. Posting it here almost assures that it will get bypassed. They copy the 
rule, then try all sorts of different combinations to bypass it

Now really, the significant factor here is not that any of these obfuscation 
tricks are 'new', but that they are using them to bypass the URIBL rules. I 
strongly urge the spamassassin develpopers to consider ways to 'open up' the 
way that we can specify what SA will 'consider' a URI, or to be able to 
'capture' a value from an obfuscation test, manipulate it into its 'original' 
URI and then 'manually' submit it to the URIBL

Example hypothetical syntax (note that some parentheses are *capturing*):

body FINDURI /(www)(?:obfuscation)(domain)(?:obfuscation)(com|net|org)/i
uribl CHECIT /$1.$2.$3/

Basically, allow a rule to 'capture' one or more 'matches' in Perl variables, 
and then feed them to a subsequent rule (in this case, a manual URIBL lookup). 
This way, the SA developers don't have to hard-code an ever-changing set of 
"URI detection rules" into the core code, but we can still develop on-the-fly 
rules that can feed a URI to the URIBL tests

I've heard people mention 'plugins'. Could I code one that would be
easily 'modifiable' so that (for example) this morning's '[dot]' trick can be 
quickly added to my plugin? Is there a good working example of a plugin that 
extracts text from a message and feeds it to a URI? I'll work on this!

- C



  

Re: [NEW SPAM FLOOD] www.shopXX.net

[Charles Gregory]

On Wed, 15 Jul 2009, MrGibbage wrote:

I wonder if the spammers are reading this forum.  That seemed awful fast.


I'm sure they do. But I also suspect that they have a simple 'feedback' 
mechanism that let's them know how much of their spew is getting rejected
on their botnets, and when the rejection numbers get too high they try 
something new, and keep trying until the rejection numbers drop again.


Then we fix our rules, the rejections go up, and they look for yet another 
'trick' to get through. They have the advantage of being able to download 
their own copies of spamassassin to 'test' their spew. That's why 
sometimes you get 'red herrings' from me on this list when I don't share 
the full details of a rule. Posting it here almost assures that it will 
get bypassed. They copy the rule, then try all sorts of different 
combinations to bypass it


Now really, the significant factor here is not that any of these 
obfuscation tricks are 'new', but that they are using them to bypass the 
URIBL rules. I strongly urge the spamassassin develpopers to consider ways 
to 'open up' the way that we can specify what SA will 'consider' a URI, or 
to be able to 'capture' a value from an obfuscation test, manipulate it 
into its 'original' URI and then 'manually' submit it to the URIBL


Example hypothetical syntax (note that some parentheses are *capturing*):

body FINDURI /(www)(?:obfuscation)(domain)(?:obfuscation)(com|net|org)/i
uribl CHECIT /$1.$2.$3/

Basically, allow a rule to 'capture' one or more 'matches' in Perl 
variables, and then feed them to a subsequent rule (in this case, a manual 
URIBL lookup). This way, the SA developers don't have to hard-code an 
ever-changing set of "URI detection rules" into the core code, but we can 
still develop on-the-fly rules that can feed a URI to the URIBL tests


I've heard people mention 'plugins'. Could I code one that would be
easily 'modifiable' so that (for example) this morning's '[dot]' trick can 
be quickly added to my plugin? Is there a good working example of a plugin 
that extracts text from a message and feeds it to a URI? I'll work on 
this!


- C

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Wed, 15 Jul 2009, MrGibbage wrote:


I wonder if the spammers are reading this forum.  That seemed awful fast.


Of course they are.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #20: The faster you finish the fight,
  the less shot you will get.
---
 Tomorrow: the 64th anniversary of the dawn of the Atomic Age

Re: [NEW SPAM FLOOD] www.shopXX.net

[Hrothgar]

>Which of course means we've long since passed the point where any of  
>these are going to do the spammers any good.  That's the frustrating  
>part.

I thought that the point was that since it cost a spammer the same to send
out a million emails as to send out one, he was happy if only one of the
recipients responded. 

I live in the UK. The chances of anyone here buying prescription drugs from
a web site are non-existent: they are paid for either by the health service
or (for those who have medical insurance) by insurers. And the, er, "get it
up" medicines are now available over the counter. Yet all co.uk addresses
get mountains of this type of spam which presumably sell nothing.

I find it quicker to delete them manually rather than spending time altering
a regex and restarting SA.

Roger
-- 
View this message in context: 
http://www.nabble.com/-NEW-SPAM-FLOOD--www.shopXX.net-tp24139422p24486959.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Cedric Knight]

Chris Owen wrote:
> On Jul 13, 2009, at 2:55 PM, Charles Gregory wrote:
> 
 To answer your next post, I don't use '\b' because the next 'trick'
 coming
 will likely be something looking like Xwww herenn comX...  :)
>>> At that point it can be dealt with.
> 
>> Well, they're getting close. I'm seeing non-alpha non-blank crud
>> cozied up to the front of the 'www' now :)

Not forgetting underscores are not word boundaries.  My alternative
rules are badly written but are still hitting with the \b:

rawbody NONLINK_SHORT
/^.{0,500}\b(?:H\s*T\s*T\s*P\s*[:;](? 
> 
> Which of course means we've long since passed the point where any of
> these are going to do the spammers any good.  That's the frustrating part.

You're making the common assumption that spammers send UCE because it
makes them money.  In fact they do it because they are obnoxious
imbeciles who want to annoy people and waste as much time (human and
CPU) as possible.  I don't think it really matters to them that what
they are sending is incomprehensible noise, because noise is their message.

Cheers

CK

Re: [NEW SPAM FLOOD] www.shopXX.net

[Chris Owen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Jul 13, 2009, at 2:55 PM, Charles Gregory wrote:

To answer your next post, I don't use '\b' because the next  
'trick' coming

will likely be something looking like Xwww herenn comX...  :)

At that point it can be dealt with.


Well, they're getting close. I'm seeing non-alpha non-blank crud  
cozied up to the front of the 'www' now :)



Which of course means we've long since passed the point where any of  
these are going to do the spammers any good.  That's the frustrating  
part.


Chris

- --
Chris Owen - Garden City (620) 275-1900 -  Lottery (noun):
President  - Wichita (316) 858-3000 -A stupidity tax
Hubris Communications Inc  www.hubris.net
- --




-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)
Comment: Public Key: http://home.hubris.net/owenc/pgpkey.txt
Comment: Public Key ID: 0xB513D9DD

iEYEARECAAYFAkpbkmQACgkQElUlCLUT2d2EHwCeOOTZQiUWoQzuYGzhJXdfoAbH
PHsAnAhXwHV8M/xTrOdRy92eRnPnvBNF
=ADo2
-END PGP SIGNATURE-

Re: [NEW SPAM FLOOD] www.shopXX.net

[Charles Gregory]

On Mon, 13 Jul 2009, John Hardin wrote:

>  The + signs are a little risky, it might be better to use {1,3} instead.
 (nod) Though without the '/m' option it would be limited to the same line.
body rules work on paragraphs, but you are right, the badness has an upper 
limit.


Ugh. Forgot it was 'paragraphs' and not 'lines' (and I just had that 
drilled into me recently, too). Paragraphs are too long. I'll switch it

to a specific limit


 To answer your next post, I don't use '\b' because the next 'trick' coming
 will likely be something looking like Xwww herenn comX...  :)

At that point it can be dealt with.


Well, they're getting close. I'm seeing non-alpha non-blank crud cozied up 
to the front of the 'www' now :)


- C

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Mon, 13 Jul 2009, Charles Gregory wrote:


On Mon, 13 Jul 2009, John Hardin wrote:

 Why be restrictive on the domain name?


If a conservative spec is sufficient to match the spam, then we're
helping avoid false positives I'd rather tweak the rule to
catch the new tricks of the spammer than overgeneralize. :)


Fair enough.

The + signs are a little risky, it might be better to use {1,3} 
instead.


(nod) Though without the '/m' option it would be limited to the same 
line.


body rules work on paragraphs, but you are right, the badness has an upper 
limit.


My thinking is that a spammer would quickly figure out to add more 
obfuscation, and there is little risk of a false positive occuring with 
that kind of broad spacing and an xxx99 domain name


Again, fair enough. But there's a limit to how complex the obfuscation can 
be made, though, because there's a point where people won't deobfuscate 
the URI to visit it.


To answer your next post, I don't use '\b' because the next 'trick' 
coming will likely be something looking like Xwww herenn comX...  :)


At that point it can be dealt with. Until then, using \b is an important 
way to avoid FPs.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Ignorance doesn't make stuff not exist.   -- Bucky Katt
---
 3 days until the 64th anniversary of the dawn of the Atomic Age

Re: [NEW SPAM FLOOD] www.shopXX.net

[Charles Gregory]

On Mon, 13 Jul 2009, John Hardin wrote:

Why be restrictive on the domain name?


If  a conservative spec is sufficient to match the spam, then we're
helping avoid false positives I'd rather tweak the rule to
catch the new tricks of the spammer than overgeneralize. :)

The + signs are a little risky, it might be better to use {1,3} instead.

(nod) Though without the '/m' option it would be limited to the same line.
My thinking is that a spammer would quickly figure out to add more 
obfuscation, and there is little risk of a false positive occuring with

that kind of broad spacing and an xxx99 domain name

And the older rule allowed for spaces in the TLD. I don't recall if 
anybody provided more than one spample with that though.


I've not seen it too much, though it doesn't hurt to keep it in the
rule. I actually added it back into my live rule after I posted

To answer your next post, I don't use '\b' because the next 'trick' coming 
will likely be something looking like Xwww herenn comX...  :)


- C

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Mon, 13 Jul 2009, Charles Gregory wrote:


On Mon, 13 Jul 2009, rich...@buzzhost.co.uk wrote:

 On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
>  (?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
>  www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)

 Does not seem to work with;
 www. meds .com


Correct. With spaces being one of the possible obfuscation characters,
this otherwise 'broad' rule is limited to the cookie-cutter URL's with 
numeric suffixes in the hostnames - something unlikely to appear in 
conversational text like "whether the [www can com]municate ideas"... :)


That possible FP is why \b are important in the rule.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Users mistake widespread adoption of Microsoft Office for the
  development of a document format standard.
---
 3 days until the 64th anniversary of the dawn of the Atomic Age

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Mon, 13 Jul 2009, McDonald, Dan wrote:


On Mon, 2009-07-13 at 16:03 +0100, rich...@buzzhost.co.uk wrote:

On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:

(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)


Does not seem to work with;

www. meds .com


It shouldn't.  The spammers have been using domains with 2-4 alpha
characters and 2 digits.


Why be restrictive on the domain name?

\b(?!www\.\w{2,20}\.(?:com|net|org))www[^a-z0-9]+\w{2,20}[^a-z0-9]+(?:com|net|org)\b

The + signs are a little risky, it might be better to use {1,3} instead. 
And the older rule allowed for spaces in the TLD. I don't recall if 
anybody provided more than one spample with that though.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Users mistake widespread adoption of Microsoft Office for the
  development of a document format standard.
---
 3 days until the 64th anniversary of the dawn of the Atomic Age

Re: [NEW SPAM FLOOD] www.shopXX.net

[Charles Gregory]

On Mon, 13 Jul 2009, rich...@buzzhost.co.uk wrote:

On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:

(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)


Does not seem to work with;
www. meds .com


Correct. With spaces being one of the possible obfuscation characters,
this otherwise 'broad' rule is limited to the cookie-cutter URL's with 
numeric suffixes in the hostnames - something unlikely to appear in 
conversational text like "whether the [www can com]municate ideas"... :)


- Charles

Re: [NEW SPAM FLOOD] www.shopXX.net

[McDonald, Dan]

On Mon, 2009-07-13 at 16:03 +0100, rich...@buzzhost.co.uk wrote:
> On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
> > (?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
> > www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
> 
> Does not seem to work with;
> 
> www. meds .com

It shouldn't.  The spammers have been using domains with 2-4 alpha
characters and 2 digits.

> 
-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


signature.asc
Description: This is a digitally signed message part

Re: [NEW SPAM FLOOD] www.shopXX.net

[rich...@buzzhost.co.uk]

On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
> (?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
> www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)

Does not seem to work with;

www. meds .com

Re: [NEW SPAM FLOOD] www.shopXX.net

[Charles Gregory]

If I might interject. This seems to be an excellent occasion for
the PerlRE 'negative look-ahead' code (excuse the line wrap):

body =~ /(?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)/i

...unless someone can think of an FP for this rule?

- C

RE: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Fri, 10 Jul 2009, McDonald, Dan wrote:


They have.  They are using underscores, which are a [:punct:], but don't form a 
\b break.

New rules:
body__MED_BEG_SP/\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_DOT   /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_BOTH  
/\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
body__MED_END_SP
/[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_END_PUNCT 
/[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_END_DOT   
/[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_END_BOTH  
/[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

metaAE_MED42(__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) 
&& (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) && ! 
(__MED_BEG_DOT && __MED_END_DOT )
describe AE_MED42   rule to catch still more spam obfuscation
score   AE_MED424.0


I think that can be simplified somewhat by reversing the obfuscation 
matches:


body  URI_OBFU_WWW   
/\bw{2,3}[^[:alnum:]]{1,3}\w{1,20}(?:(?!\.[[:alnum:]])[^[:alnum:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe  URI_OBFU_WWW   Obfuscated URI


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The world has enough Mouse Clicking System Engineers.
   -- Dave Pooser
---
 4 days until the 64th anniversary of the dawn of the Atomic Age

Re: [NEW SPAM FLOOD] www.shopXX.net

[Sim]

2009/7/11 Sim :
>> New rules:
>> body    __MED_BEG_SP    /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
>> body    __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
>> body    __MED_BEG_DOT   /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
>> body    __MED_BEG_BOTH
>> /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
>> body    __MED_END_SP
>> /[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>> body    __MED_END_PUNCT
>> /[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>> body    __MED_END_DOT
>> /[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>> body    __MED_END_BOTH
>> /[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>>
>> meta    AE_MED42    (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT ||
>> __MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT ||
>> __MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT )
>> describe AE_MED42   rule to catch still more spam obfuscation
>> score   AE_MED42    4.0
>>
>>
>>
>
>
> Hi Dan,
> very very thanks!
> It's perfect for all variant!
>
> Regards
>


Hi!

Again tipology. >> Rpace Against the Clocck.www_ze44_com

:-(

Spammer observe us!

RE: [NEW SPAM FLOOD] www.shopXX.net

[rich...@buzzhost.co.uk]

On Sat, 2009-07-11 at 07:14 -0500, McDonald, Dan wrote:
> From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
> >On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
> >> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> >> > "MD" == McDonald, Dan  writes:
> >>
> >> MD> They are using underscores, which are a [:punct:], but don't
> form
> >> MD> a \b break.
> 
> >One of my customers has this in their Postfix body blocks and it
> seems
> >to do well. No doubt it could be adapted to SA or even made more
> 'curt'
> >
> >/www((\.\s{1,10}|\s{1,10}\.|
> >\s{1,10}\.\s{1,10})[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
> >\s{1,10}\.\s{1,10}|\.)|\.[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
> >\s{1,10}\.\s{1,10}))(net|com)/REJECT body contains officated
> uri
> >
> >Use it at your own risk
> 
> it won't hit anything now.  They aren't using periods any more.  They
> switched to underscores last night, and commas this morning.  Be ready
> for exclamation points later today!  Their click rate has to be
> dropping
> like a rock and the only purpose at this point is to annoy us.
> 
I guess it goes without saying to duplicate the rule for other options ?
I've added duplicates for all the obvious characters on the keyboard -
I'm just waiting to see some more creativity from them :-)
> 
> 
> 
> 

RE: [NEW SPAM FLOOD] www.shopXX.net

[McDonald, Dan]

From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
>On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
>> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
>> > "MD" == McDonald, Dan  writes:
>> 
>> MD> They are using underscores, which are a [:punct:], but don't form
>> MD> a \b break.

>One of my customers has this in their Postfix body blocks and it seems
>to do well. No doubt it could be adapted to SA or even made more 'curt'
>
>/www((\.\s{1,10}|\s{1,10}\.|
>\s{1,10}\.\s{1,10})[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
>\s{1,10}\.\s{1,10}|\.)|\.[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
>\s{1,10}\.\s{1,10}))(net|com)/REJECT body contains officated uri
>
>Use it at your own risk

it won't hit anything now.  They aren't using periods any more.  They 
switched to underscores last night, and commas this morning.  Be ready 
for exclamation points later today!  Their click rate has to be dropping
like a rock and the only purpose at this point is to annoy us.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Paweł Tęcza]

Dnia 2009-07-10, pią o godzinie 16:48 -0700, fchan pisze:
> Don't tempt them, I already get enough spam not only from these guys.
> Also they will flood the network with smtp useless connections and
> unless you have good network attack mitigation system so you don't
> have a DDoS, don't tempt them.

Please don't be affraid and help to beat them.

Do you only update your local rules? I think it's not sufficient
reaction. We also should send abuse reports to Internet providers of
spammers. They have to shutdown that website.

P.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Sim]

> New rules:
> body    __MED_BEG_SP    /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
> body    __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
> body    __MED_BEG_DOT   /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
> body    __MED_BEG_BOTH
> /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
> body    __MED_END_SP
> /[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> body    __MED_END_PUNCT
> /[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> body    __MED_END_DOT
> /[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> body    __MED_END_BOTH
> /[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>
> meta    AE_MED42    (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT ||
> __MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT ||
> __MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT )
> describe AE_MED42   rule to catch still more spam obfuscation
> score   AE_MED42    4.0
>
>
>


Hi Dan,
very very thanks!
It's perfect for all variant!

Regards

---
Sim

RE: [NEW SPAM FLOOD] www.shopXX.net

[rich...@buzzhost.co.uk]

On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> > "MD" == McDonald, Dan  writes:
> 
> MD> They are using underscores, which are a [:punct:], but don't form
> MD> a \b break.
> 
> >I'm becoming confused as to what they could possibly hope to
> >accomplish by that.
> 
> right now I think they are sticking it to us.  That and they must get
> some
> sort of jollies describing sick sex acts to little old ladies.
> 
> >Yes, I know, don't question the motives of spammers for their
> >stupidity and madness may be contagious, but still.  Surely they must
> >expect some kind of click rate.
> 
> I expect they will tire quickly of this game.  I was expecting commas
> before underscores, but even that is a loss now.  So, they will have
> to
> play a new game, and we can start all over with the fun.
> 
> 
> 
One of my customers has this in their Postfix body blocks and it seems
to do well. No doubt it could be adapted to SA or even made more 'curt'

/www((\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10})[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}|\.)|\.[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}))(net|com)/REJECT body contains officated uri

Use it at your own risk

RE: [NEW SPAM FLOOD] www.shopXX.net

[McDonald, Dan]

>From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> "MD" == McDonald, Dan  writes:

MD> They are using underscores, which are a [:punct:], but don't form
MD> a \b break.

>I'm becoming confused as to what they could possibly hope to
>accomplish by that.

right now I think they are sticking it to us.  That and they must get some
sort of jollies describing sick sex acts to little old ladies.

>Yes, I know, don't question the motives of spammers for their
>stupidity and madness may be contagious, but still.  Surely they must
>expect some kind of click rate.

I expect they will tire quickly of this game.  I was expecting commas 
before underscores, but even that is a loss now.  So, they will have to
play a new game, and we can start all over with the fun.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Jason L Tibbitts III]

> "MD" == McDonald, Dan  writes:

MD> They are using underscores, which are a [:punct:], but don't form
MD> a \b break.

I'm becoming confused as to what they could possibly hope to
accomplish by that.  At least when using dots and spaces users could
cut and paste the hostname into a browser (if for some reason they
were so inclined) and there's a possibility that an overly helpful MUA
could turn it into a clickable link, but with underscores there's no
hope of that.  What's next?  Asking users to type only every other
letter in the location bar or to correct misspellings in the hostname,
but somehow expecting them to figure this out for themselves?

Yes, I know, don't question the motives of spammers for their
stupidity and madness may be contagious, but still.  Surely they must
expect some kind of click rate.

 - J<

RE: [NEW SPAM FLOOD] www.shopXX.net

[McDonald, Dan]

>From: fchan [mailto:fc...@molsci.org]

>Don't tempt them, I already get enough spam not 
>only from these guys. Also they will flood the 
>network with smtp useless connections and unless 
>you have good network attack mitigation system so 
>you don't have a DDoS, don't tempt them.

Pretty soon they will go on to a new scheme.  This one is getting boring.  
Might as well spur them on to give up all of their tricks.


>>Dnia 2009-07-11, sob o godzinie 00:18 +0200, Pawe¸ T«cza pisze:
>>
>>  > I received very similar spam too. It also includes "www.ma29. net"
>>>  domain. It's probably personal dedication from the spammers to me ;)
>>>  Thank you! I know you're watching that mailing list.
>>
>>Hey spammers! ;)
>>
>>It's after midnight here, but I've updated my rules. So you have to
>>think up something new.

They have.  They are using underscores, which are a [:punct:], but don't form a 
\b break.

New rules:
body__MED_BEG_SP/\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_DOT   /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
body__MED_BEG_BOTH  
/\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
body__MED_END_SP
/[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_END_PUNCT 
/[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_END_DOT   
/[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
body__MED_END_BOTH  
/[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

metaAE_MED42(__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || 
__MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || 
__MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT )
describe AE_MED42   rule to catch still more spam obfuscation
score   AE_MED424.0

Re: [NEW SPAM FLOOD] www.shopXX.net

[fchan]

Don't tempt them, I already get enough spam not 
only from these guys. Also they will flood the 
network with smtp useless connections and unless 
you have good network attack mitigation system so 
you don't have a DDoS, don't tempt them.

Dnia 2009-07-11, sob o godzinie 00:18 +0200, Pawe¸ T«cza pisze:

 > I received very similar spam too. It also includes "www.ma29. net"

 domain. It's probably personal dedication from the spammers to me ;)
 Thank you! I know you're watching that mailing list.


Hey spammers! ;)

It's after midnight here, but I've updated my rules. So you have to
think up something new.

P.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Paweł Tęcza]

Dnia 2009-07-11, sob o godzinie 00:18 +0200, Paweł Tęcza pisze:

> I received very similar spam too. It also includes "www.ma29. net"
> domain. It's probably personal dedication from the spammers to me ;)
> Thank you! I know you're watching that mailing list.

Hey spammers! ;)

It's after midnight here, but I've updated my rules. So you have to
think up something new.

P.

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Fri, 10 Jul 2009, McDonald, Dan wrote:


body__MED_END_BOTH  
/\b[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

Let's see how long it takes them to come up with a workaround for this!


A domain name with 7+ letters? www. goodmeds123. com ?  :)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If "healthcare is a Right" means that the government is obligated
  to provide the people with hospitals, physicians, treatments and
  medications at low or no cost, then the right to free speech means
  the government is obligated to provide the people with printing
  presses and public address systems, the right to freedom of
  religion means the government is obligated to build churches for the
  people, and the right to keep and bear arms means the government is
  obligated to provide the people with guns, all at low or no cost.
---
 10 days until the 40th anniversary of Apollo 11 landing on the Moon

Re: [NEW SPAM FLOOD] www.shopXX.net

[Michelle Konzack]

Am 2009-07-10 11:39:02, schrieb Daniel Schaefer:
> Since we're sharing rules for this recent Spam outbreak, here is my rule:
> body DRUG_SITE /www(\.|\  
> )*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ 
> )*(net|com)/
> score DRUG_SITE 0.5
> describe DRUG_SITE Test to find spam drug sites in recent emails
>
>
> Notice my score is low, because I'm not sure it's 100% accurate.

Does not hit:

Problems in Getting the sex Life Ymoou Want and Deserve - Starting With E 
www.ma29. net. Californian Finds Pit Blul Under hTe Hood

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   c/o Vertriebsp. KabelBW
   Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de   77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: [NEW SPAM FLOOD] www.shopXX.net

[Daniel Schaefer]

John Hardin wrote:

On Fri, 10 Jul 2009, Daniel Schaefer wrote:


Doesn't the . (period) need escaped in this? [.\s]{1,3}


Nope. "[]" means "explicit set of characters", and "." = "any 
character" conflicts with that context.



Thanks for the clarification. I'm still learning REs.

--
Dan Schaefer
Application Developer
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Fri, 10 Jul 2009, Daniel Schaefer wrote:


Doesn't the . (period) need escaped in this? [.\s]{1,3}


Nope. "[]" means "explicit set of characters", and "." = "any character" 
conflicts with that context.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control laws cannot reduce violent crime, because gun control
  laws focus obsessively on a tool a criminal might use to commit a
  crime rather than the criminal himself and his act of violence.
---
 10 days until the 40th anniversary of Apollo 11 landing on the Moon

Re: [NEW SPAM FLOOD] www.shopXX.net

[Daniel Schaefer]

John Hardin wrote:

On Fri, 10 Jul 2009, Daniel Schaefer wrote:


Gerry Maddock wrote:

> >  McDonald, Dan wrote:
> >
> >  body DRUG_SITE /www(\.|\
> > ) *(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ > 
> ) )*(net|com)/
> >  You should avoid the use of *, as it allows spammers to consume 
all >  of your memory and cpu.  limit it using the {} syntax.  You 
also >  should tell perl to not keep the results of your () with 
(?:\.|\ ) >  instead of (\.|\ ).  And with single characters, the 
[ab] syntax is >  faster to process than (?:a|b).


 Perhaps you could attach an example showing exactly what your stating
 for this rule?


This is my new rule. I think this is what he means:

body DRUG_SITE /www[\.\ ] 
*(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}[\.\ 
*(?:net|com)/


You missed some of the suggestions.

Try this:

body DRUG_SITE 
/\bwww[.\s]{1,3}(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)\d{2}[.\s]{1,3}(?:net|com)\b/ 



Also, if the spammers start registering three-digit domain names, this 
will start missing. Something like \d{2,5} would be better.



Doesn't the . (period) need escaped in this? [.\s]{1,3}

--
Dan Schaefer
Application Developer
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Fri, 10 Jul 2009, Daniel Schaefer wrote:


Gerry Maddock wrote:

> >  McDonald, Dan wrote:
> >
> >  body DRUG_SITE /www(\.|\
> > ) *(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ 
> > ) )*(net|com)/
> 
>  You should avoid the use of *, as it allows spammers to consume all 
>  of your memory and cpu.  limit it using the {} syntax.  You also 
>  should tell perl to not keep the results of your () with (?:\.|\ ) 
>  instead of (\.|\ ).  And with single characters, the [ab] syntax is 
>  faster to process than (?:a|b).


 Perhaps you could attach an example showing exactly what your stating
 for this rule?


This is my new rule. I think this is what he means:

body DRUG_SITE /www[\.\ 
] *(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}[\.\ *(?:net|com)/


You missed some of the suggestions.

Try this:

body DRUG_SITE 
/\bwww[.\s]{1,3}(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)\d{2}[.\s]{1,3}(?:net|com)\b/

Also, if the spammers start registering three-digit domain names, this 
will start missing. Something like \d{2,5} would be better.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control laws cannot reduce violent crime, because gun control
  laws focus obsessively on a tool a criminal might use to commit a
  crime rather than the criminal himself and his act of violence.
---
 10 days until the 40th anniversary of Apollo 11 landing on the Moon

Re: [NEW SPAM FLOOD] www.shopXX.net

[Sim]

2009/7/10 John Hardin :
> On Fri, 10 Jul 2009, Sim wrote:
>
>>>
>>> /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>>
>> I'm using it without good results for this format:
>>
>> bla bla www. site. net. bla bla
>>
>> Have you any idea?
>
> There are no digits in that URI.
>
> If this becomes common, change the \d{2,6} to \d{0,6}, but that will
> increase the risk of FP somewhat.
>
> Dan: there are no parentheses in that RE that attempt to match the message
> text, they are all grouping parentheses.
>


Good solution John,

very thanks!

Regards

---
Sim

Re: [NEW SPAM FLOOD] www.shopXX.net

[Sim]

> Yes, remove the outer parentheses.
>
> Here are the rules I am using:
> body    AE_MEDS35       /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
> describe AE_MEDS35      obfuscated domain seen in spam
> score   AE_MEDS35       3.00
>
> body    AE_MEDS38       
> /\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
> describe AE_MEDS38      rule to catch next wave of obfuscated domains
> score   AE_MEDS38       1.0
>
> body    AE_MEDS39       
> /\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> describe AE_MEDS39      rule to catch still more spam obfuscation
> score   AE_MEDS39       4.0
>
> AE_MEDS38 finds domains with spaces in them, and AE_MEDS39 finds domains
> with dots and spaces.  You might want to bump up the score on AE_MEDS38,
> but I haven't had a false negative that would have benefited from it in
> a while, so I haven't bothered.
>
>
>

Very good!
Thanks a lot!

Regards and good week-end!

---
Sim

Re: [NEW SPAM FLOOD] www.shopXX.net

[Daniel Schaefer]

Gerry Maddock wrote:

McDonald, Dan wrote:
  
Since we're sharing rules for this recent Spam outbreak, here is my
  

rule:
  

body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|
  

com)/
  

You should avoid the use of *, as it allows spammers to consume all of
your memory and cpu.  limit it using the {} syntax.  You also should
tell perl to not keep the results of your () with (?:\.|\ ) instead of
(\.|\ ).  And with single characters, the [ab] syntax is faster to
process than (?:a|b).



Perhaps you could attach an example showing exactly what your stating for
this rule?

  

This is my new rule. I think this is what he means:

body DRUG_SITE /www[\.\ 
]*(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}[\.\ 
]*(?:net|com)/


--
Dan Schaefer
Application Developer
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Gerry Maddock]

> > McDonald, Dan wrote:
>
> > Since we're sharing rules for this recent Spam outbreak, here is my
rule:
> > body DRUG_SITE /www(\.|\
> > )*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|
com)/
>
> You should avoid the use of *, as it allows spammers to consume all of
> your memory and cpu.  limit it using the {} syntax.  You also should
> tell perl to not keep the results of your () with (?:\.|\ ) instead of
> (\.|\ ).  And with single characters, the [ab] syntax is faster to
> process than (?:a|b).
>
Perhaps you could attach an example showing exactly what your stating for
this rule?





CONFIDENTIALITY: This e-mail message is for the sole use of the intended 
recipient(s) and may contain confidential and / or privileged information.  Any 
unauthorized review, use, disclosure or distribution of any kind is strictly 
prohibited.  If you are not the intended recipient, please contact the sender 
via reply e-mail and destroy all copies of the original message.  Thank you.

Re: [NEW SPAM FLOOD] www.shopXX.net

[McDonald, Dan]

On Fri, 2009-07-10 at 11:39 -0400, Daniel Schaefer wrote:
> McDonald, Dan wrote:

> Since we're sharing rules for this recent Spam outbreak, here is my rule:
> body DRUG_SITE /www(\.|\ 
> )*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|com)/

You should avoid the use of *, as it allows spammers to consume all of
your memory and cpu.  limit it using the {} syntax.  You also should
tell perl to not keep the results of your () with (?:\.|\ ) instead of
(\.|\ ).  And with single characters, the [ab] syntax is faster to
process than (?:a|b).




-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


signature.asc
Description: This is a digitally signed message part

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Fri, 10 Jul 2009, Sim wrote:


/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i


I'm using it without good results for this format:

bla bla www. site. net. bla bla

Have you any idea?


There are no digits in that URI.

If this becomes common, change the \d{2,6} to \d{0,6}, but that will 
increase the risk of FP somewhat.


Dan: there are no parentheses in that RE that attempt to match the message 
text, they are all grouping parentheses.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Constitution is a written instrument. As such its meaning does
  not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
   SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
---
 10 days until the 40th anniversary of Apollo 11 landing on the Moon

Re: [NEW SPAM FLOOD] www.shopXX.net

[Daniel Schaefer]

McDonald, Dan wrote:

Yes, remove the outer parentheses.

Here are the rules I am using:
bodyAE_MEDS35   /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
describe AE_MEDS35  obfuscated domain seen in spam
score   AE_MEDS35   3.00

bodyAE_MEDS38   
/\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS38  rule to catch next wave of obfuscated domains
score   AE_MEDS38   1.0

bodyAE_MEDS39   
/\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe AE_MEDS39  rule to catch still more spam obfuscation
score   AE_MEDS39   4.0

  

Since we're sharing rules for this recent Spam outbreak, here is my rule:
body DRUG_SITE /www(\.|\ 
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|com)/

score DRUG_SITE 0.5
describe DRUG_SITE Test to find spam drug sites in recent emails


Notice my score is low, because I'm not sure it's 100% accurate.

--
Dan Schaefer
Application Developer
Performance Administration Corp.

Re: [NEW SPAM FLOOD] www.shopXX.net

[McDonald, Dan]

On Fri, 2009-07-10 at 17:11 +0200, Sim wrote:
> >>>
> >>>
> >>> /\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> >>
> >>   ^
> >> John,
> >>
> >> Thanks a lot for rule update! It works fine. I can say it's nearly
> >> perfect, because it missing only one small back-slash :) Please look
> >> above.
> >
> > D'oh!
> >
> > That, plus some other fixes:
> >
> > /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> >
> 
> 
> Hello world ;-)
> 
> I'm using it without good results for this format:
> 
> bla bla www. site. net. bla bla
> 
> Have you any idea?
> Regards
Yes, remove the outer parentheses.

Here are the rules I am using:
bodyAE_MEDS35   /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
describe AE_MEDS35  obfuscated domain seen in spam
score   AE_MEDS35   3.00

bodyAE_MEDS38   
/\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS38  rule to catch next wave of obfuscated domains
score   AE_MEDS38   1.0

bodyAE_MEDS39   
/\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe AE_MEDS39  rule to catch still more spam obfuscation
score   AE_MEDS39   4.0

AE_MEDS38 finds domains with spaces in them, and AE_MEDS39 finds domains
with dots and spaces.  You might want to bump up the score on AE_MEDS38,
but I haven't had a false negative that would have benefited from it in
a while, so I haven't bothered.



-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


signature.asc
Description: This is a digitally signed message part

Re: [NEW SPAM FLOOD] www.shopXX.net

[Sim]

>>>
>>>
>>> /\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>>
>>                                           ^
>> John,
>>
>> Thanks a lot for rule update! It works fine. I can say it's nearly
>> perfect, because it missing only one small back-slash :) Please look
>> above.
>
> D'oh!
>
> That, plus some other fixes:
>
> /\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
>


Hello world ;-)

I'm using it without good results for this format:

bla bla www. site. net. bla bla

Have you any idea?
Regards

---
Sim

Re: [NEW SPAM FLOOD] www.shopXX.net

[Michelle Konzack]

Am 2009-06-30 13:50:09, schrieb Yet Another Ninja:
> See RegistrarBoundaries.pm in SA source and
> http://www.rulesemporium.com/rules/90_2tld.cf

I know this list, but these are  only  domains,  where  you  can  get  a
3rd Level Domain like on  as

http://tamay.dogan.free.fr/

which was create by me long time ago and never updated/deleted...  :-P

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   c/o Shared Office KabelBW  ICQ #328449886
+49/177/9351947Blumenstasse 2 MSN LinuxMichi
+33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Tue, 30 Jun 2009, John Wilcock wrote:


Le 30/06/2009 17:16, John Hardin a écrit :

> ... looking at the www peter got an impression of ...
> (-> www.peter.got?)

 TLDs are limited and prevent FPs of that particular nature.


Sure, but there are lots of ccTLDs that could be confused with English words, 
never mind other languages.


Do you really want SpamAssassin to do URIBL lookups for invented.by 
(Belarus) for a sentence like "The www, invented by Tim Berners-Lee, 
...", or billy.jo (Jordan) for "On the www, Billy-Jo can be heard..."? 
The processing overhead would be enormous.


I agree that a very general URI deobfuscation rule will be both expensive 
and FP-prone. I was commenting on the particular case of 
www.something.somethingelse, that while FPs can occur, the possible values 
for somethingelse make it less likely than that example suggested - but 
looking for obfuscated URIs having two-letter TLDs make FPs a lot more 
likely.


I think the existing rule is good; perhaps extending the \w repetition a 
bit so that it would match longer obfuscated domains like 
"eshopping123.com" or "yourdrugstore999.net"


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #9: Accuracy is relative: most combat
  shooting standards will be more dependent on "pucker factor" than
  the inherent accuracy of the gun.
---
 4 days until the 233rd anniversary of the Declaration of Independence

Re: [NEW SPAM FLOOD] www.shopXX.net

[Mike Cardwell]

John Wilcock wrote:


   ... looking at the www peter got an impression of ...
   (-> www.peter.got?)


TLDs are limited and prevent FPs of that particular nature.


Sure, but there are lots of ccTLDs that could be confused with English 
words, never mind other languages.


Do you really want SpamAssassin to do URIBL lookups for invented.by 
(Belarus) for a sentence like "The www, invented by Tim Berners-Lee, 
...", or billy.jo (Jordan) for "On the www, Billy-Jo can be heard..."?

The processing overhead would be enormous.


I'd suggest performing your own dns lookups against the domain first to 
make sure it's valid, before doing the uribl lookup. Eg:


m...@haven:~$ host -t ns invented.by
invented.by does not exist, try again
m...@haven:~$

You'd also want to cache your results. This conversation however is 
pointless. Why not just try it and see how well it works.


--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Wilcock]

Le 30/06/2009 17:16, John Hardin a écrit :

   ... looking at the www peter got an impression of ...
   (-> www.peter.got?)


TLDs are limited and prevent FPs of that particular nature.


Sure, but there are lots of ccTLDs that could be confused with English 
words, never mind other languages.


Do you really want SpamAssassin to do URIBL lookups for invented.by 
(Belarus) for a sentence like "The www, invented by Tim Berners-Lee, 
...", or billy.jo (Jordan) for "On the www, Billy-Jo can be heard..."?

The processing overhead would be enormous.

John.

--
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Tue, 30 Jun 2009, Jan P. Kessler wrote:


Martin Gregorie schrieb:



... digging through the WWW HE SAW this link ...


Both IMO should be caught and given a positive score. I've never seen
legitimate mail containing URLs written this way.


Maybe I was not clear: The last one is NOT an url. Do you really want to
use the whole bunch of SA's URI tests against sentences like:

   ... looking at the www peter got an impression of ...
   (-> www.peter.got?)


TLDs are limited and prevent FPs of that particular nature.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #6: If you can choose what to bring to a
  gunfight, bring a long gun and a friend with a long gun.
---
 4 days until the 233rd anniversary of the Declaration of Independence

Re: [NEW SPAM FLOOD] www.shopXX.net

[Martin Gregorie]

> So you want obfuscated urls to be recognised as urls but not treated as
> urls?
>
Of course. Its spam.

> If this is just for a few own pcre body rules, I'd suggest you to
> handle those de-obfuscations in your rules.
>
Guess what I'm doing.

> You can also publish your own plugin, if you think that it is worth to share.
>
Its not worth a plugin: one or two regexes and a meta catches it very
nicely.

> And how many calls will your receive for false positives? Maybe this
> depends on one's environment,
>
Metas that recognise context are the obvious way to avoid FPs. For
instance, anything received via a Sourceforge mailing list containing
recognisable medical or sex terms (obfuscated or not) and obfuscated
URLs can be canned as spam with a very high confidence level.

Its certainly site-specific, e.g, I've only ever seen the recent spate
of image spam (medical ads presented as images) arrive via Sourceforge
mailing lists, but that's far from a typical experience.


Martin

Re: [NEW SPAM FLOOD] www.shopXX.net

[Jan P. Kessler]

Martin Gregorie schrieb:
> What makes you think I'm using URI tests or that any of these would be
> recognised as a URI? My tests are simple body tests with {1,n} limits on
> repetitions to keep things under control.
>   

So you want obfuscated urls to be recognised as urls but not treated as
urls? If this is just for a few own pcre body rules, I'd suggest you to
handle those de-obfuscations in your rules. You can also publish your
own plugin, if you think that it is worth to share. But for the most
environments these de-obfuscations will be too dangerous (imo) and to
easy to circumvent.


> what they want. What's the betting they'd even call their help desk to
> complain?
>   

And how many calls will your receive for false positives? Maybe this
depends on one's environment, but I'd prefer having a few non-tagged
spams than a bunch of FPs.

Anyway.. I don't want to argue here. I throwed in my pennies and hope
the SA developers agree.

Cheers, Jan

Re: [NEW SPAM FLOOD] www.shopXX.net

[Martin Gregorie]

On Tue, 2009-06-30 at 13:14 +0200, Jan P. Kessler wrote:
> Martin Gregorie schrieb:
> >> ... go to WWW EVIL ORG for new meds ...
> >>
> >> and
> >>
> >> ... digging through the WWW HE SAW this link ...
> >>
> > Both IMO should be caught and given a positive score. I've never seen
> > legitimate mail containing URLs written this way.
> 
> Maybe I was not clear: The last one is NOT an url. Do you really want to
> use the whole bunch of SA's URI tests against sentences like:
> 
What makes you think I'm using URI tests or that any of these would be
recognised as a URI? My tests are simple body tests with {1,n} limits on
repetitions to keep things under control.

> And again: What about urls that do not start with www?
>
So far, all the munged URLs I've seen have started with www. If that
changes the rules can be easily extended, but IMO its unlikely to change
since the punters are being invited to 'repair' something they are
intended to recognise as a web address.

> Which characters
> should be examined for obfuscation ([ ,;:|?!=])?
>
So far, only space, tab and stop have been used. On the face of it, no
more are likely. The target audience must pretty thick if they actually
'repair' these urls before cutting and pasting into the brower's search
box, so my guess is that said target audience would either not recognise
further obfuscation as a url or they would retain any other
non-whitespace characters and then wonder why their browser won't do
what they want. What's the betting they'd even call their help desk to
complain?


Martin

Re: [NEW SPAM FLOOD] www.shopXX.net

[Yet Another Ninja]

On 6/30/2009 1:18 PM, Michelle Konzack wrote:

Am 2009-06-30 12:30:14, schrieb Jan P. Kessler:

How would you distinguish between

... go to WWW EVIL ORG for new meds ...

and

... digging through the WWW HE SAW this link ...

to prevent SA trying to look up www.he.saw?


Is SAW a valid TOPLEVEL domain?

SA could use a list of valid TLD's.


See RegistrarBoundaries.pm in SA source and
http://www.rulesemporium.com/rules/90_2tld.cf

Re: [NEW SPAM FLOOD] www.shopXX.net

[Jan P. Kessler]

Michelle Konzack wrote:
> Is SAW a valid TOPLEVEL domain?
>
> SA could use a list of valid TLD's.
>   

Ok, let's change that (do not forget that there's more than .com)

the www seems to become the primary source of information these days
(->www.seems.to?)

And I think we agree, that it would be very 'expensive' to check all
possible triplets against the whole list of TLDs (or even impossible if
you consider subdomains).

Re: [NEW SPAM FLOOD] www.shopXX.net

[Michelle Konzack]

Am 2009-06-30 11:58:20, schrieb Martin Gregorie:
> > http:// meds spammer org
> > 
> That should be scored positive too, for the same reason.

And in my org this should no happen...

 is a valid domain FOR SALE.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   c/o Shared Office KabelBW  ICQ #328449886
+49/177/9351947Blumenstasse 2 MSN LinuxMichi
+33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: [NEW SPAM FLOOD] www.shopXX.net

[Michelle Konzack]

Am 2009-06-30 12:30:14, schrieb Jan P. Kessler:
> How would you distinguish between
> 
> ... go to WWW EVIL ORG for new meds ...
> 
> and
> 
> ... digging through the WWW HE SAW this link ...
> 
> to prevent SA trying to look up www.he.saw?

Is SAW a valid TOPLEVEL domain?

SA could use a list of valid TLD's.

> And what about URLs that don't start with WWW, like
> 
> http:// meds spammer org

and what about:

   meds . for . cheap com

(several subdomains)

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
25.9V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   c/o Shared Office KabelBW  ICQ #328449886
+49/177/9351947Blumenstasse 2 MSN LinuxMichi
+33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: [NEW SPAM FLOOD] www.shopXX.net

[Jan P. Kessler]

Martin Gregorie schrieb:
>> ... go to WWW EVIL ORG for new meds ...
>>
>> and
>>
>> ... digging through the WWW HE SAW this link ...
>>
> Both IMO should be caught and given a positive score. I've never seen
> legitimate mail containing URLs written this way.

Maybe I was not clear: The last one is NOT an url. Do you really want to
use the whole bunch of SA's URI tests against sentences like:

... looking at the www peter got an impression of ...
(-> www.peter.got?)


And again: What about urls that do not start with www? Which characters
should be examined for obfuscation ([ ,;:|?!=])? How many of them in
sequence should be examined? If SA tries to de-obfuscate each possible
triplet, you won't have enough computing power and you will be bombarded
with false-positives. If you really want that, you can write your own
rules but this is (by far) too dangerous for the standard SA
distribution (imo).

Re: [NEW SPAM FLOOD] www.shopXX.net

[Martin Gregorie]

> ... go to WWW EVIL ORG for new meds ...
> 
> and
> 
> ... digging through the WWW HE SAW this link ...
> 
Both IMO should be caught and given a positive score. I've never seen
legitimate mail containing URLs written this way.

> And what about URLs that don't start with WWW, like
> 
> http:// meds spammer org
> 
That should be scored positive too, for the same reason.

I'm giving such munged URLs a score of 1.0. In addition I use metas to
give the score a boost if they appear on a technical mail list or in
combination with mis-spellings that are common in spam or words like
viagra.


Martin

Re: [NEW SPAM FLOOD] www.shopXX.net

[Jan P. Kessler]

Jason Haar schrieb:
> All this talk about trying to catch urls that contain spaces/etc got me
> thinking: why isn't this a standard SA feature? i.e if SA sees
> "www(whitespace|comma|period)-combo(therest)", then rewrite it as the
> url and process.

How would you distinguish between

... go to WWW EVIL ORG for new meds ...

and

... digging through the WWW HE SAW this link ...

to prevent SA trying to look up www.he.saw?

And what about URLs that don't start with WWW, like

http:// meds spammer org

RE: [NEW SPAM FLOOD] www.shopXX.net

[Kevin Parris]

>>> "Benny Pedersen"  06/28/09 12:42 AM >>>
>On Sun, June 28, 2009 05:38, Cory Hawkless wrote:
>> I agree, wouldn't it be easier to uniformly feed all of these type of URL's
>> though the already existing SA filters. As Jason suggested maybe by
>> collapsing whitespaces?
>
>lets redefine how a url is in the first place ?
>
>www localhost localdomain
>www.localhost.localdomain 
>
>one of them does not work :)
>
>spammers more or less just use the first one, so what ?
>
>> Sounds like the obvious solution to me? Any problems with this? If not how
>> can it be done?
>
>just show a working ReplaceTags for spaces, and then all can be solved to make 
>rules with how spaces can rebuild into no spaces,
>eg in my above example " " will be "." and then sa see the last url and first 
>url
>
>imho this is what replacetags does
>
>but as long webbrowsers does not work on both, is it a big problem so ?


It is folly to underestimate the stupidity and/or gullibility of humans.  Just 
because the link "won't work" as-is in the message does NOT mean people out 
there won't retype it, corrected, into their browser address box.  It is my 
opinion that if the spammers weren't getting traffic to the websites from the 
email, they would stop sending the email.  Since the emails continue, we must 
presume that they are having some success in attracting victims to the sites.

Therefore, the URL obfuscation by omitting the dots seems to be a viable spam 
indicator.  The tricky part is in figuring out how to detect this trait 
reliably without tripping over other similar traits that are not good spam 
indicators.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Benny Pedersen]

On Sun, June 28, 2009 20:47, Raymond Dijkxhoorn wrote:

> If you have to press the 'SPAM' link you allready have gotten the spam,
> right? So thats too late if you see this black/white.

bayes also learn from sender ip and more, so its not that big problem if one 
gets to enduser here, if to high spam score it will
be added to ip blacklist, with will tempfail in my mta until resolved, where 
did i fail ?

-- 
xpoint

Re: [NEW SPAM FLOOD] www.shopXX.net

[Raymond Dijkxhoorn]

Hi!


Will users be ringing the helpdesk asking if the antispam system is
broken when all this "www space something dot" ends up in their INBOX?
Answer: you bet they do.


in my webmail there is a "SPAM" and "NOT SPAM" link, so i dont have 
this problem


If you have to press the 'SPAM' link you allready have gotten the spam, 
right? So thats too late if you see this black/white.


Bye,
Raymond.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Benny Pedersen]

On Sun, June 28, 2009 10:08, Jason Haar wrote:
> On 06/28/2009 12:18 PM, Benny Pedersen wrote:
>> spammers need to rewrite webbrowsers also :=)
>> will you click on a url that is not click bare ?
> Are you saying that this kind of spam doesn't work, as it requires the
> user to actually edit the link to make it work?

yes

> I think that's irrelevant. The job of an antispam system IMHO is to keep
> spam out of people's INBOXes - irrespective of whether or not it's spam
> that makes sense.

yes, this is also true, but it also irrelevant to scan for urls that are not 
urls, on better way to check for fuzzy domains is to
make a meta that consists of  and tlds where all in between is random, that 
way we dont block any, and wee hit on spam domains
that is fuzzy

and if end users train bayes this still counts

> Will users be ringing the helpdesk asking if the antispam system is
> broken when all this "www space something dot" ends up in their INBOX?
> Answer: you bet they do.

in my webmail there is a "SPAM" and "NOT SPAM" link, so i dont have this problem


-- 
xpoint

RE: [NEW SPAM FLOOD] www.shopXX.net

[Raymond Dijkxhoorn]

Hi!


lets redefine how a url is in the first place ?

www localhost localdomain
www.localhost.localdomain

one of them does not work :)

spammers more or less just use the first one, so what ?


It doesnt matter much if it works or not. Spam is not a message with urls 
that work. So its ending up in $enduser mailbox, and he didnt ask for it.


So in his opinion the spamfilter is not working ok. And we have to fix
this.

And i cant say he is wrong.

Bye,
Raymond.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Henrik K]

On Sun, Jun 28, 2009 at 01:08:45PM +0930, Cory Hawkless wrote:
> I agree, wouldn't it be easier to uniformly feed all of these type of URL's
> though the already existing SA filters. As Jason suggested maybe by
> collapsing whitespaces?
> 
> Sounds like the obvious solution to me? Any problems with this? If not how
> can it be done?

You don't see a problem? What about all of these and others?

example,com
example dot com
example & com
exampleCOM
example-com
example`com

Pretty soon SA is parsing dozens of "domains" from any given message and
uribls collapse from the load. ;-) Not to mention all the FP possibilities.

Maybe there could be some very specific rules to extend the url search.
Something like "/www \w+ com/i + s/ /./g". But someone would have to
distribute these rule updates. How would that be done when no one is even
distributing the simple rules posted here to catch this current spam run?

Hopefully some day (after SA 3.3 is released?) we see more frequent
sa-updates, especially if more people get SVN access and rules get checked
in nightly or faster.

Re: [NEW SPAM FLOOD] www.shopXX.net

[Jason Haar]

On 06/28/2009 12:18 PM, Benny Pedersen wrote:
>
> spammers need to rewrite webbrowsers also :=)
>
> will you click on a url that is not click bare ?
>
>   
Are you saying that this kind of spam doesn't work, as it requires the
user to actually edit the link to make it work?

I think that's irrelevant. The job of an antispam system IMHO is to keep
spam out of people's INBOXes - irrespective of whether or not it's spam
that makes sense.

Will users be ringing the helpdesk asking if the antispam system is
broken when all this "www space something dot" ends up in their INBOX?
Answer: you bet they do.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

RE: [NEW SPAM FLOOD] www.shopXX.net

[Benny Pedersen]

On Sun, June 28, 2009 05:38, Cory Hawkless wrote:
> I agree, wouldn't it be easier to uniformly feed all of these type of URL's
> though the already existing SA filters. As Jason suggested maybe by
> collapsing whitespaces?

lets redefine how a url is in the first place ?

www localhost localdomain
www.localhost.localdomain

one of them does not work :)

spammers more or less just use the first one, so what ?

> Sounds like the obvious solution to me? Any problems with this? If not how
> can it be done?

just show a working ReplaceTags for spaces, and then all can be solved to make 
rules with how spaces can rebuild into no spaces,
eg in my above example " " will be "." and then sa see the last url and first 
url

imho this is what replacetags does

but as long webbrowsers does not work on both, is it a big problem so ?

-- 
xpoint

RE: [NEW SPAM FLOOD] www.shopXX.net

[Cory Hawkless]

I agree, wouldn't it be easier to uniformly feed all of these type of URL's
though the already existing SA filters. As Jason suggested maybe by
collapsing whitespaces?

Sounds like the obvious solution to me? Any problems with this? If not how
can it be done?


-Original Message-
From: Jason Haar [mailto:jason.h...@trimble.co.nz] 
Sent: Sunday, 28 June 2009 9:28 AM
To: users@spamassassin.apache.org
Subject: Re: [NEW SPAM FLOOD] www.shopXX.net

All this talk about trying to catch urls that contain spaces/etc got me
thinking: why isn't this a standard SA feature? i.e if SA sees
"www(whitespace|comma|period)-combo(therest)", then rewrite it as the
url and process.

That way you get the whole force of SURBLs/etc onto it? I'm assuming all
these "shop" urls this thread has been agonizing about are already in
RBLs of course...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [NEW SPAM FLOOD] www.shopXX.net

[Benny Pedersen]

On Sun, June 28, 2009 01:57, Jason Haar wrote:
> All this talk about trying to catch urls that contain spaces/etc got me
> thinking: why isn't this a standard SA feature? i.e if SA sees
> "www(whitespace|comma|period)-combo(therest)", then rewrite it as the
> url and process.

spammers need to rewrite webbrowsers also :=)

will you click on a url that is not click bare ?

> That way you get the whole force of SURBLs/etc onto it? I'm assuming all
> these "shop" urls this thread has been agonizing about are already in
> RBLs of course...

one could extend rule set to use ReplaceTags ?

-- 
xpoint

Re: [NEW SPAM FLOOD] www.shopXX.net

[Jason Haar]

All this talk about trying to catch urls that contain spaces/etc got me
thinking: why isn't this a standard SA feature? i.e if SA sees
"www(whitespace|comma|period)-combo(therest)", then rewrite it as the
url and process.

That way you get the whole force of SURBLs/etc onto it? I'm assuming all
these "shop" urls this thread has been agonizing about are already in
RBLs of course...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Sat, 27 Jun 2009, Jeremy Morton wrote:

Why are you bothering with that?  It seems unnecessarily complex. Here's my 
amended rule:


/\bwww\s?\W?\s?\w{3,6}\d{2,6}s?\W?\s?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i


That would match hy11com, which may not be recognized by the mark as a 
URI they need to deobfuscate - do you really want it that loose?


That would match www.why11.com, which the regular URI processing would 
match - do you really want to match it twice?


That's why I posted a more-complex version.

Note that I'm not saying it's wrong, just that it's looser than I prefer.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  False is the idea of utility that sacrifices a thousand real
  advantages for one imaginary or trifling inconvenience; that would
  take fire from men because it burns, and water because one may drown
  in it; that has no remedy for evils except destruction. The laws
  that forbid the carrying of arms are laws of such a nature. They
  disarm only those who are neither inclined nor determined to commit
  crime.   -- Cesare Beccaria, quoted by Thomas Jefferson
---
 7 days until the 233rd anniversary of the Declaration of Independence

Re: [NEW SPAM FLOOD] www.shopXX.net

[Jeremy Morton]

Why are you bothering with that?  It seems unnecessarily complex. 
Here's my amended rule:


/\bwww\s?\W?\s?\w{3,6}\d{2,6}s?\W?\s?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

Best regards,
Jeremy Morton (Jez)

John Hardin wrote:

On Fri, 26 Jun 2009, Pawe�~B T�~Ycza wrote:


Dnia 2009-06-23, wto o godzinie 09:39 +0200, Paweł Tęcza pisze:


body OBFU_URI_WWDD_2
/\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i



The spammers strike in weekend again. Unfortunately the rule above
doesn't work for the latest incarnation of that spam, it means "www.
pill22. com."


{sung to the tune of Peter Gabriel's "Kiss That Frog"} Whack that mole!

/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Fri, 26 Jun 2009, Pawe�~B T�~Ycza wrote:


Dnia 2009-06-26, pią o godzinie 14:15 -0700, John Hardin pisze:

On Fri, 26 Jun 2009, Pawe~B T~Ycza wrote:


Dnia 2009-06-23, wto o godzinie 09:39 +0200, Paweł Tęcza pisze:


 body OBFU_URI_WWDD_2
/\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i


The spammers strike in weekend again. Unfortunately the rule above
doesn't work for the latest incarnation of that spam, it means "www.
pill22. com."


{sung to the tune of Peter Gabriel's "Kiss That Frog"} Whack that mole!

/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

   ^
John,

Thanks a lot for rule update! It works fine. I can say it's nearly
perfect, because it missing only one small back-slash :) Please look
above.


D'oh!

That, plus some other fixes:

/\bwww(?:\s\W?\s?|\W\s)\w{3,6}\d{2,6}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Constitution is a written instrument. As such its meaning does
  not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
   SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
---
 8 days until the 233rd anniversary of the Declaration of Independence

Re: [NEW SPAM FLOOD] www.shopXX.net

[Paweł Tęcza]

Dnia 2009-06-26, pią o godzinie 14:15 -0700, John Hardin pisze:
> On Fri, 26 Jun 2009, Pawe~B T~Ycza wrote:
> 
> > Dnia 2009-06-23, wto o godzinie 09:39 +0200, Paweł Tęcza pisze:
> 
>   body OBFU_URI_WWDD_2
>  /\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
> >
> > The spammers strike in weekend again. Unfortunately the rule above
> > doesn't work for the latest incarnation of that spam, it means "www.
> > pill22. com."
> 
> {sung to the tune of Peter Gabriel's "Kiss That Frog"} Whack that mole!
> 
> /\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
^
John,

Thanks a lot for rule update! It works fine. I can say it's nearly
perfect, because it missing only one small back-slash :) Please look
above.

Have a nice weekend!

P.

Re: [NEW SPAM FLOOD] www.shopXX.net

[John Hardin]

On Fri, 26 Jun 2009, Pawe�~B T�~Ycza wrote:


Dnia 2009-06-23, wto o godzinie 09:39 +0200, Paweł Tęcza pisze:


 body OBFU_URI_WWDD_2
/\bwww\s(?:\W\s)?\w{3,6}\d{2,6}\s(?:\W\s)?(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i


The spammers strike in weekend again. Unfortunately the rule above
doesn't work for the latest incarnation of that spam, it means "www.
pill22. com."


{sung to the tune of Peter Gabriel's "Kiss That Frog"} Whack that mole!

/\bwww(?:\s|\s\W|\W\s)\w{3,6}\d{2,6}(?:\s|s\W|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The one political issue that strips all politicians bare is
  individual gun rights.
---
 8 days until the 233rd anniversary of the Declaration of Independence