Re: How are cllassified this?
Rocco Scappatura wrote: full CHIME_BODY_IMAGESHACK/\bhttp:\/\/.*\.imageshack\.us/i describe CHIME_BODY_IMAGESHACKEmails containing imageshack.us URLs. scoreCHIME_BODY_IMAGESHACK2.0 Place these three lines in your local.cf file and restart any daemons. You can adjust the score to whatever you want. This URL is very indiscriminant, in that it will score for ANY URL from imageshack.us, and not just the spammy ones. But in my situation this is acceptable. But It won't be indiscriminant in my case.. Is there any other solution? Keep messages on the list. These are very simple messages that are exploiting an image hosting service. There are very few spam signs in them. I have decided that for the time being none of my users are affected by scoring purely on the imageshack.us url. In cases like these it is very difficult to come up with generic solutions that fit everyones requirements. Which is why I would recommend that you have a look at learning how to write very simple rules. That way you will be able to write something that meets your very specific needs. If you are uncertain of your rules, you should set a small score (say 0.1) first so that any misfires do not have a major affect on overall scoring, but you can see them in your results. You can also send your rules to this list and the regulars here will be able to check them out and give you advice. Failing that you will have to be very specific about your requirements for these spams, and someone might be able to suggest a rule that meets your needs. -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
RE: How are cllassified this?
But It won't be indiscriminant in my case.. Is there any other solution? Keep messages on the list. These are very simple messages that are exploiting an image hosting service. There are very few spam signs in them. I have decided that for the time being none of my users are affected by scoring purely on the imageshack.us url. In cases like these it is very difficult to come up with generic solutions that fit everyones requirements. Which is why I would recommend that you have a look at learning how to write very simple rules. That way you will be able to write something that meets your very specific needs. If you are uncertain of your rules, you should set a small score (say 0.1) first so that any misfires do not have a major affect on overall scoring, but you can see them in your results. You can also send your rules to this list and the regulars here will be able to check them out and give you advice. Failing that you will have to be very specific about your requirements for these spams, and someone might be able to suggest a rule that meets your needs. Thank you. You are very clear.. I'm going to think that I will try to use you're rule, and then I'll observ what happen.. rocsca
RE: How are cllassified this?
Yay, spammy has morphed, and the pattern that was working doesn't work (the morph appears to be making the filenames truly random now): http://img444.imageshack.us/img444/6834/mchd6.jpg http://img444.imageshack.us/my.php?image=5bsoda1.jpg http://img444.imageshack.us/img444/3335/68jo5.jpg the server + path is controlled by imageshack I think, but the filename is up to the spammer.
Re: How are cllassified this?
Hi, Duncan Hill wrote: Yay, spammy has morphed, and the pattern that was working doesn't work (the morph appears to be making the filenames truly random now): http://img444.imageshack.us/img444/6834/mchd6.jpg http://img444.imageshack.us/my.php?image=5bsoda1.jpg http://img444.imageshack.us/img444/3335/68jo5.jpg the server + path is controlled by imageshack I think, but the filename is up to the spammer. To be honest, I have given a score to anything that has a URL from imageshack.us in it. The score isn't enough to put the email over the limit on its own, but with Bayes and a couple of others it does the trick. -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Re: How are cllassified this?
On Mon, 2 Apr 2007, Rocco Scappatura wrote: What I can't figure out is if this is a new kind of spam or if I can update it using the available rulesets (with sa-update or RDJ). Can some one give an hint? Received: from dsl51B7EDE5.pool.t-online.hu (dsl51B7EDE5.pool.t-online.hu [81.183.237.229]) by av3.stt.vir (Postfix) with ESMTP id 315D47500F7 for [EMAIL PROTECTED]; Mon, 2 Apr 2007 17:21:05 +0200 (CEST) Is av3.stt.vir your public MTA? If so, the botnet plugin from http://people.ucsc.edu/~jrudd/spamassassin/ might help. That looks like a dynamic-host rDNS. Search engine, fax scanting software? scanting? Bayes might help. http://img133.imageshack.us/img133/5553/webvq2.gif Huh. That's not good URIBL fodder. As was suggested, add a little to the score for an imageshack.us URI. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. --- 11 days until Thomas Jefferson's 264th Birthday
RE: How are cllassified this?
A large score for ImageShack uris, not a small one, would seem to be in order, otherwise a good proportion end up in people's mailboxes. Unfortunately ImageShack's report abuse link on their webpage ( http://reg.imageshack.us/content.php?page=emailq=abuse ) isn't responding, so I guess I'm not the only one trying to complain. We've trapped 2000 of the critters in the last 4 1/2 hours with the aid of the obvious uri rule and a bit of Bayes training. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: 02 April 2007 17:00 To: SpamAssassin Users List Subject: Re: How are cllassified this? On Mon, 2 Apr 2007, Rocco Scappatura wrote: What I can't figure out is if this is a new kind of spam or if I can update it using the available rulesets (with sa-update or RDJ). Can some one give an hint? Received: from dsl51B7EDE5.pool.t-online.hu (dsl51B7EDE5.pool.t-online.hu [81.183.237.229]) by av3.stt.vir (Postfix) with ESMTP id 315D47500F7 for [EMAIL PROTECTED]; Mon, 2 Apr 2007 17:21:05 +0200 (CEST) Is av3.stt.vir your public MTA? If so, the botnet plugin from http://people.ucsc.edu/~jrudd/spamassassin/ might help. That looks like a dynamic-host rDNS. Search engine, fax scanting software? scanting? Bayes might help. http://img133.imageshack.us/img133/5553/webvq2.gif Huh. That's not good URIBL fodder. As was suggested, add a little to the score for an imageshack.us URI. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 -- - Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. -- - 11 days until Thomas Jefferson's 264th Birthday
Re: How are cllassified this?
On Mon, April 2, 2007 16:34, Rocco Scappatura wrote:
What I can't figure out is if this is a new kind of spam or if I can
update it using the available rulesets (with sa-update or RDJ).
Search engine, fax scanting software?
http://img133.imageshack.us/img133/5553/webvq2.gif
Custom ruleset will be the fastest way to catch these. A single regex
works quite well.
http:\/\/img\d{3}\.imageshack\.us\/img\d{3}\/\d{4}\/web\w{2}\d\.gif
for instance. Implementing it is left as an exercise for the reader.
RE: How are cllassified this?
On Mon, 2 Apr 2007, Randal, Phil wrote: A large score for ImageShack uris, not a small one, would seem to be in order, otherwise a good proportion end up in people's mailboxes. I'm not familiar with ImageShack - is it public hosting of images ala Flickr, such that people might legitimately send hey, look at this picture I just took! type emails? Unfortunately ImageShack's report abuse link on their webpage ( http://reg.imageshack.us/content.php?page=emailq=abuse ) isn't responding, so I guess I'm not the only one trying to complain. We've trapped 2000 of the critters in the last 4 1/2 hours with the aid of the obvious uri rule and a bit of Bayes training. Yow. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Homeland Security: Specializing in Tactical Band-aids for Strategic Problems. -- Eric K. in Bruce Schneier's blog --- 11 days until Thomas Jefferson's 264th Birthday
RE: How are cllassified this?
On Mon, April 2, 2007 19:14, John D. Hardin wrote: On Mon, 2 Apr 2007, Randal, Phil wrote: A large score for ImageShack uris, not a small one, would seem to be in order, otherwise a good proportion end up in people's mailboxes. I'm not familiar with ImageShack - is it public hosting of images ala Flickr, such that people might legitimately send hey, look at this picture I just took! type emails? It is. Free image hosting, banner ads on the page. Unfortunately ImageShack's report abuse link on their webpage ( http://reg.imageshack.us/content.php?page=emailq=abuse ) isn't responding, so I guess I'm not the only one trying to complain. There are enough variations of the image that they're probably inundated. I've managed to report 2 of them, but the URLs are constantly changing (but are also changing to a pattern). We've trapped 2000 of the critters in the last 4 1/2 hours with the aid of the obvious uri rule and a bit of Bayes training. Yow. I think one node that I take care of has seen way more than that. I'll have to ask it tomorrow. Bayes has been doing fairly well against them. Quite a few also have things like '- (GMT)' in the headers, which triggers one of the SA rules about timezones. A good number of them seem to be coming from proper relays too - at least one had SMTP AUTH header information. That, actually, is slightly scary, because if it wasn't faked, it implies that the malware spreading this spam is picking up more than e-mail addresses.
RE: How are cllassified this?
On Mon, 2 Apr 2007, Duncan Hill wrote: A good number of them seem to be coming from proper relays too - at least one had SMTP AUTH header information. That, actually, is slightly scary, because if it wasn't faked, it implies that the malware spreading this spam is picking up more than e-mail addresses. ...not necessarily. The 'bot might be dumping the messages in LookOut's outbox and letting it deliver the message along with the user's legitimate traffic via their authenticated channel. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #12: Have a plan. USMC Rules of Gunfighting #13: Have a back-up plan, because the first one won't work. --- 11 days until Thomas Jefferson's 264th Birthday
