Re: [NEW SPAM FLOOD] www_nu26_com
On Sat, 11 Jul 2009, Jason L Tibbitts III wrote: I still wonder, though, if we shouldn't be turning these back into hostnames and looking them up in the regular URI blacklists Given the obvious objections to having the primary URIBL mechanism try to parse obfuscations, I once again question why we cannot have some sort of mechanism for 'capturing' the values of ordinary tests (such as the overly comnplex rule to catch these uribl obfuscations) and then have that value to manually feed to another test? There would be some interesting details to such a thing, for instance, if a rule matches more than one obfuscated URI, the 'capture' mechansim would have to somehow 'deliver' each captured value as an iteration of any check/test that included it But for cases like this URI stuff, something 'flexible' is needed - Charles
RE: [NEW SPAM FLOOD] www_nu26_com
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu] >> "MD" == McDonald, Dan writes: > >MD> The rules I posted last night catch those. They switched from underscores to commas this morning, and my rules still catch them. >I still wonder, though, if we shouldn't be turning these back into >hostnames and looking them up in the regular URI blacklists, because >the looser we make the rules, the larger the chance of false >positives. That's why I have the "exclude two dots" part of the rule. My first attempt was getting a lot of false positives. Anyone obfuscating the domain name, IMHO, is definitely asking to be blocked. -- Dan McDonald, CCIE # 2495, CISSP # 78281, CNX
Re: [NEW SPAM FLOOD] www_nu26_com
> "MD" == McDonald, Dan writes: MD> The rules I posted last night catch those. They switched from MD> underscores to commas this morning, and my rules still catch them. FYI, they're also using plus signs, which also seem to be caught properly by your rules. I think we're good until they switch to alphanumerics like wwwZnu26Ycom, which we should be able to filter out pretty trivially. I still wonder, though, if we shouldn't be turning these back into hostnames and looking them up in the regular URI blacklists, because the looser we make the rules, the larger the chance of false positives. Not sure if spamassassin actually permits that, however. - J<