RE: [SPAM-TAG] SURBL missing this spam
I managed to write a metarule for anyone interested, to catch a URL with trailing : without a port specified, without FP on a 4 digit port. uri __SpoofPort_URL /.*\:.*|.*\...:.*/ uri __OkPort_URL /.*\:[0-9]|.*\:[0-9].+\/.*|.*\...:[0-9]|.*\...:[0-9].+\/.*/ meta Spoof_Port_URL (( __SpoofPort_URL - __OkPort_URL) 0) score Spoof_Port_URL 5 describe Spoof_Port_URL URL with trailing : but no port specified Martin
Re: [SPAM-TAG] SURBL missing this spam
On Sat, Mar 05, 2005 at 11:07:22AM +0100, Raymond Dijkxhoorn wrote: Any ETA on 3.1 ? Nothing official. We're planning a bug fix fest (or whatever you want to call it) later this coming week, and we'll have to figure out what is left for 3.1 versus what can get punted to 3.2. There's also the whole score generation thing as well as a week or so of 3.1 release candidates. So I'd say a minimum of 1 month if we go gung ho for the next week or two and get it all together. I, and several other people, have been dogfooding the 3.1 code for a while though, and it's pretty stable already. FWIW. -- Randomly Generated Tagline: Disappearing Tagline! (Just hit Enter. Try it now!) pgpwCfTh9xvDg.pgp Description: PGP signature
Re: [SPAM-TAG] SURBL missing this spam
On Friday, March 4, 2005, 3:47:04 PM, martin smith wrote: I must have received this spam 12 times or more in the last 24 hours and even though its listed on the SURBL, spamassassin fails to match it against them. When I submit the spams to spamcop it parses the url everytime. SURBL seems to work on all other spams, just wondering if they have found a way to avoid spamassassin catching the URL. Martin The URI is a little unusual, with a missing port number after the colon: http://crazyrxl0wprices-MUNGED.com:/ Maybe that syntax is throwing off SA? Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: [SPAM-TAG] SURBL missing this spam
On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote: The URI is a little unusual, with a missing port number after the colon: http://crazyrxl0wprices-MUNGED.com:/ Maybe that syntax is throwing off SA? Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine, fwiw. 3.0: debug: URIDNSBL: domains to query: 3.1: debug: uridnsbl: domains to query: crazyrxl0wprices.com -- Randomly Generated Tagline: ... and don't we all love Pspice?- Instructor Dean pgpC79ViEzJHb.pgp Description: PGP signature
Re: [SPAM-TAG] SURBL missing this spam
On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote: The URI is a little unusual, with a missing port number after the colon: http://crazyrxl0wprices-MUNGED.com:/ I can confirm that behaviour here. http://blocked-domain.com/ is picked up http://blocked-domain.com:/ is not picked up http://blocked-domain.com:80/ is picked up Matthew -- Matthew Newton [EMAIL PROTECTED] UNIX and e-mail Systems Administrator, Network Support Section, Computer Centre, University of Leicester, Leicester LE1 7RH, United Kingdom
Re: [SPAM-TAG] SURBL missing this spam
- Original Message - From: Jeff Chan [EMAIL PROTECTED] On Friday, March 4, 2005, 3:47:04 PM, martin smith wrote: I must have received this spam 12 times or more in the last 24 hours and even though its listed on the SURBL, spamassassin fails to match it against them. When I submit the spams to spamcop it parses the url everytime. SURBL seems to work on all other spams, just wondering if they have found a way to avoid spamassassin catching the URL. Martin The URI is a little unusual, with a missing port number after the colon: http://crazyrxl0wprices-MUNGED.com:/ Maybe that syntax is throwing off SA? Ah, good catch, I hadn't even noticed the trailing :. Bill
Re: [SPAM-TAG] SURBL missing this spam
On Fri, Mar 04, 2005 at 05:23:35PM -0800, Jeff Chan wrote: Given that it's apparently fixed in 3.1 should we make a bugzilla? Might it be worth reviewing that the expression or code was specifically fixed to explain this (better) behavior? Or would that be unnecessary? I wouldn't bother with a ticket. We're trying to get 3.1 out as opposed to a 3.0.3. I also don't know if the issue is simple to fix in 3.0 or not. 3.1 has had a lot of work done to it since 3.0. ;) -- Randomly Generated Tagline: Honk if you've been married to Elizabeth Taylor. pgp8iIDrBeyj6.pgp Description: PGP signature
Re: [SPAM-TAG] SURBL missing this spam
On Fri, 4 Mar 2005, Jeff Chan wrote: On Friday, March 4, 2005, 5:12:28 PM, Theo Dinter wrote: On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote: The URI is a little unusual, with a missing port number after the colon: http://crazyrxl0wprices-MUNGED.com:/ Maybe that syntax is throwing off SA? Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine, fwiw. 3.0: debug: URIDNSBL: domains to query: 3.1: debug: uridnsbl: domains to query: crazyrxl0wprices.com Thanks Theo, Given that it's apparently fixed in 3.1 should we make a bugzilla? Might it be worth reviewing that the expression or code was specifically fixed to explain this (better) behavior? Or would that be unnecessary? For those still running SA 2.6* + SpamCopURI-0.22 The following ONE character patch fixes this bug: *** SpamCopURI.pm-orig Thu Aug 5 14:58:59 2004 --- SpamCopURI.pm Fri Mar 4 21:22:37 2005 *** *** 276,282 # URI doesn't always put the port in the right place # so we strip it off here ! $url{host} =~ s/:[0-9]+$// if $url{host}; # Cleanup for urls that come in with a dot in the front --- 276,282 # URI doesn't always put the port in the right place # so we strip it off here ! $url{host} =~ s/:[0-9]*$// if $url{host}; # Cleanup for urls that come in with a dot in the front (IE just change that '+' to a '*' ;) -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: [SURBL-Discuss] Re: [SPAM-TAG] SURBL missing this spam
On Friday, March 4, 2005, 7:37:45 PM, David Funk wrote: On Fri, 4 Mar 2005, Jeff Chan wrote: On Friday, March 4, 2005, 5:12:28 PM, Theo Dinter wrote: On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote: The URI is a little unusual, with a missing port number after the colon: http://crazyrxl0wprices-MUNGED.com:/ Maybe that syntax is throwing off SA? Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine, fwiw. 3.0: debug: URIDNSBL: domains to query: 3.1: debug: uridnsbl: domains to query: crazyrxl0wprices.com For those still running SA 2.6* + SpamCopURI-0.22 The following ONE character patch fixes this bug: *** SpamCopURI.pm-orig Thu Aug 5 14:58:59 2004 --- SpamCopURI.pm Fri Mar 4 21:22:37 2005 *** *** 276,282 # URI doesn't always put the port in the right place # so we strip it off here ! $url{host} =~ s/:[0-9]+$// if $url{host}; # Cleanup for urls that come in with a dot in the front --- 276,282 # URI doesn't always put the port in the right place # so we strip it off here ! $url{host} =~ s/:[0-9]*$// if $url{host}; # Cleanup for urls that come in with a dot in the front (IE just change that '+' to a '*' ;) Yep; zero or more instead of one or more for the port portion :-) I'm pretty sure Eric Kolve is still on this list. Perhaps he can consider putting your patch into SpamCopURI. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: [SPAM-TAG] SURBL missing this spam
Hi Theo, http://crazyrxl0wprices-MUNGED.com:/ Maybe that syntax is throwing off SA? Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine, fwiw. 3.0: debug: URIDNSBL: domains to query: 3.1: debug: uridnsbl: domains to query: crazyrxl0wprices.com Any ETA on 3.1 ? Thanks, Raymond.
Re: [SPAM-TAG] SURBL missing this spam
On Saturday, March 5, 2005, 2:07:22 AM, Raymond Dijkxhoorn wrote: http://crazyrxl0wprices-MUNGED.com:/ Maybe that syntax is throwing off SA? Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine, fwiw. 3.0: debug: URIDNSBL: domains to query: 3.1: debug: uridnsbl: domains to query: crazyrxl0wprices.com Any ETA on 3.1 ? Well it sounds like they're in C-T-R mode now, so not quite yet, but maybe within the next month or two? http://wiki.apache.org/spamassassin/DevelopmentMode Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: [SPAM-TAG] SURBL missing this spam
|-Original Message- |From: Theo Van Dinter [mailto:[EMAIL PROTECTED] |Sent: 05 March 2005 01:27 |To: SpamAssassin Users |Subject: Re: [SPAM-TAG] SURBL missing this spam | |On Fri, Mar 04, 2005 at 05:23:35PM -0800, Jeff Chan wrote: | Given that it's apparently fixed in 3.1 should we make a bugzilla? | Might it be worth reviewing that the expression or code was | specifically fixed to explain this (better) behavior? | Or would that be unnecessary? | |I wouldn't bother with a ticket. We're trying to get 3.1 out |as opposed to a 3.0.3. I also don't know if the issue is |simple to fix in 3.0 or not. 3.1 has had a lot of work done |to it since 3.0. ;) | Is there a uri rule we could use to catch e.g. .com: or .uk: in the mean time untill 3.1 becomes available, there is a posibility other spammers may try using this technique to exploit the bug. I tried uri BadPort_URL /.???:|.??:/ but was an invalid regexp, I have never tried to write any rules before so havent a clue of the allowed formats, sure its quite simple to those that do. I also put this one in but like someone else said this will probably now be defunct; uri Crazy_URL /crazyrxl0wprices.com:/ score Crazy_URL 10 Martin
RE: [SPAM-TAG] SURBL missing this spam
|-Original Message- |From: martin smith [mailto:[EMAIL PROTECTED] |Sent: 05 March 2005 11:41 |To: Spamassassin |Subject: RE: [SPAM-TAG] SURBL missing this spam | |Is there a uri rule we could use to catch e.g. .com: or .uk: |in the mean time untill 3.1 becomes available, there is a |posibility other spammers may try using this technique to |exploit the bug. | |I tried uri BadPort_URL /.???:|.??:/ but was an invalid |regexp, I have never tried to write any rules before so havent |a clue of the allowed formats, sure its quite simple to those that do. |I also put this one in but like someone else said this will |probably now be defunct; | |uri Crazy_URL /crazyrxl0wprices.com:/ |score Crazy_URL 10 | Ok I have done a bit of reading up and got this rule to work, would appreciate someone to check it over to make sure I havent made a rule that will FP uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 Will up the score once I am satisfied I get no FP's Martin
RE: [SPAM-TAG] SURBL missing this spam
| |uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 | Ok MK2 that one could FP on genuine URLs with a port specified uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 uri OkPort_URL /.*\:|.*\...:./|/.*\:\/.*|.*\...:.\/.*/ score OkPort_URL -1 Sorry for so many posts, this is a learning curve for me, sure this can be done better possibly with a meta rule but that's getting way too much above me for now. This will do till someone comes up with a better rule or fix.
Re: [SPAM-TAG] SURBL missing this spam
On Saturday 05 March 2005 14:49, martin smith wrote: |uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 Ok MK2 that one could FP on genuine URLs with a port specified uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 uri OkPort_URL /.*\:|.*\...:./|/.*\:\/.*|.*\...:.\/.*/ score OkPort_URL -1 Hmm.. the variant I came up with doesn't use the uri tag, instead: bodySURBL_DODGE /http(s)?|ftp:\/\/.*:\// score SURBL_DODGE 5 The only problem being that it can score on a url like http://some.good.site/fred:/ Why someone would have a : in the path or query, I don't know, but it's a posssibilty.
RE: [SPAM-TAG] SURBL missing this spam
|-Original Message- |From: Duncan Hill [mailto:[EMAIL PROTECTED] |Sent: 05 March 2005 15:02 |To: users@spamassassin.apache.org |Subject: Re: [SPAM-TAG] SURBL missing this spam | |On Saturday 05 March 2005 14:49, martin smith wrote: | |uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 | | Ok MK2 that one could FP on genuine URLs with a port specified | | uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 uri | OkPort_URL | /.*\:|.*\...:./|/.*\:\/.*|.*\...:.\/.*/ | score OkPort_URL -1 | |Hmm.. the variant I came up with doesn't use the uri tag, instead: |bodySURBL_DODGE /http(s)?|ftp:\/\/.*:\// |score SURBL_DODGE 5 | |The only problem being that it can score on a url like |http://some.good.site/fred:/ | |Why someone would have a : in the path or query, I don't know, |but it's a posssibilty. Unfortunately that will FP if u have any text after the URL with :/ E.g Take a look at http://some.good.site you never know:/ |
Re: [SPAM-TAG] SURBL missing this spam
Duncan, As written your rule only checks for a ':' immediately before a '/'. But at least one valid use of the colon is http://[EMAIL PROTECTED]:host, which is defined as part of the stardard HTTP protocol. Paul Shupak [EMAIL PROTECTED]