RE: Stupid ebay trick
jdow wrote: Since you're feeling pedantic... ===8--- This set of rules nails it cold. header JD_SIMPLE_EBAY_SPOOFaFrom =~ /(\|\.|\b)ebay(\|\.|\b)/i An exactly equivalent expression is: From =~ /\bebay\b/i This also has the added advantage of not populating $1 and $2. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Stupid ebay trick
From: [EMAIL PROTECTED]
jdow wrote:
Since you're feeling pedantic...
===8--- This set of rules nails it cold.
header JD_SIMPLE_EBAY_SPOOFaFrom =~ /(\|\.|\b)ebay(\|\.|\b)/i
An exactly equivalent expression is:
From =~ /\bebay\b/i
This also has the added advantage of not populating $1 and $2.
So \b catches the \ as well? Fascinating.
{^_^}
Re: Stupid ebay trick
[EMAIL PROTECTED] wrote: jdow wrote: Since you're feeling pedantic... ===8--- This set of rules nails it cold. header JD_SIMPLE_EBAY_SPOOFaFrom =~ /(\|\.|\b)ebay(\|\.|\b)/i An exactly equivalent expression is: From =~ /\bebay\b/i This also has the added advantage of not populating $1 and $2. Matthew, @ebay.com matches that doesn't it? [EMAIL PROTECTED]:~$ echo 'From: zbay [EMAIL PROTECTED]' |pcregrep -i '\bebay\b' From: zbay [EMAIL PROTECTED] Catching that leading quote (note the lack of boundary) /\ebay/i would be my choice for that sub rule, given the example. C.
RE: Stupid ebay trick
Chris wrote: [EMAIL PROTECTED] wrote: jdow wrote: Since you're feeling pedantic... ===8--- This set of rules nails it cold. header JD_SIMPLE_EBAY_SPOOFaFrom =~ /(\|\.|\b)ebay(\|\.|\b)/i An exactly equivalent expression is: From =~ /\bebay\b/i This also has the added advantage of not populating $1 and $2. Matthew, @ebay.com matches that doesn't it? Yup, it sure does, but that's OK. The intent was to detect email messages where: 1) From matches /\bebay\b/i 2) From DOES NOT MATCH /[EMAIL PROTECTED]/i The fact that @ebay. matches /bebay\b/ is irrelevant. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Stupid ebay trick
From: Chris [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
jdow wrote:
Since you're feeling pedantic...
===8--- This set of rules nails it cold.
header JD_SIMPLE_EBAY_SPOOFaFrom =~ /(\|\.|\b)ebay(\|\.|\b)/i
An exactly equivalent expression is:
From =~ /\bebay\b/i
This also has the added advantage of not populating $1 and $2.
Matthew,
@ebay.com matches that doesn't it?
It's intended to. Other rules are supposed to catch [EMAIL PROTECTED]
related spam. I was looking for ANY ebay as a separate word
along with ebay.com being missing. Something like:
ebay.com [EMAIL PROTECTED] is supposed to be nailed by other spoofing
rules specific to the ebay.com part. Now, I suspect this rule
could be optimized. (And one of my wormholes into the SARE regions
suggest that there is a further tuned version of these two rules
and meta rule coming soon. I suggested another fine tuning to him
after he noted @pages.ebay,co might be worth being safe with. So
he might be delayed a touch from the real part of his RSN.
[EMAIL PROTECTED]:~$ echo 'From: zbay [EMAIL PROTECTED]' |pcregrep -i
'\bebay\b'
From: zbay [EMAIL PROTECTED]
Catching that leading quote (note the lack of boundary) /\ebay/i
would be my choice for that sub rule, given the example.
Actually I wanted to catch or . or blankness. And my head keeps
trying to make \b be blankness. If \b is boundary which includes
and . in the definition of boundary that's fine. Otherwise I
like my way better.
{^_^}
RE: Stupid ebay trick
jdow wrote: jdow wrote: ===8--- This set of rules nails it cold. header JD_SIMPLE_EBAY_SPOOFaFrom =~ /(\|\.|\b)ebay(\|\.|\b)/i Actually I wanted to catch or . or blankness. And my head keeps trying to make \b be blankness. If \b is boundary which includes and . in the definition of boundary that's fine. Otherwise I like my way better. By blankness do you mean whitespace? That's \s... From =~ /(\|\.|\s)ebay(\|\.|\s)/i If you also want to include beginning of the string, that's ^... If you also want to include end of the string, that's $... From =~ /(\|\.|\s|^)ebay(\|\.|\s|$)/i -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Stupid ebay trick
jdow wrote: Actually I wanted to catch or . or blankness. And my head keeps trying to make \b be blankness. If \b is boundary which includes and . in the definition of boundary that's fine. Yeah, \b matches a word Boundary. For blankness you probably want \s which matches whiteSpace (including spaces, tabs, etc.) -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Stupid ebay trick
From: [EMAIL PROTECTED]
jdow wrote:
jdow wrote:
===8--- This set of rules nails it cold.
header JD_SIMPLE_EBAY_SPOOFaFrom =~ /(\|\.|\b)ebay(\|\.|\b)/i
Actually I wanted to catch or . or blankness. And my head keeps
trying to make \b be blankness. If \b is boundary which includes
and . in the definition of boundary that's fine. Otherwise I
like my way better.
By blankness do you mean whitespace? That's \s...
From =~ /(\|\.|\s)ebay(\|\.|\s)/i
If you also want to include beginning of the string, that's ^...
If you also want to include end of the string, that's $...
From =~ /(\|\.|\s|^)ebay(\|\.|\s|$)/i
And a detail here - Does a From test include all characters
after the : or after the : ? That would change things, too.
(Loren's the local unit that writes rules. I only write them when
something comes along that gets me annoyed.)
{^_-}
Re: Stupid ebay trick
[EMAIL PROTECTED] wrote: Chris wrote: Matthew, @ebay.com matches that doesn't it? Yup, it sure does, but that's OK. The intent was to detect email messages where: 1) From matches /\bebay\b/i 2) From DOES NOT MATCH /[EMAIL PROTECTED]/i The fact that @ebay. matches /bebay\b/ is irrelevant. Understood, but I don't see the point in being lax with that match. Perhaps I ebay too much using the address [EMAIL PROTECTED] ;) C.
Re: Stupid ebay trick
From: Kelson [EMAIL PROTECTED]
jdow wrote:
Actually I wanted to catch or . or blankness. And my head keeps
trying to make \b be blankness. If \b is boundary which includes
and . in the definition of boundary that's fine.
Yeah, \b matches a word Boundary. For blankness you probably want \s
which matches whiteSpace (including spaces, tabs, etc.)
Actually word boundary is probably best. But like I say, my head
keeps thinking blank for \b rather than boundary. That's why I
included the spurious other tests. I guess blank comes first
in my mental dictionary search for what could the b be?
{^_-}
RE: Stupid ebay trick
jdow wrote: my head keeps thinking blank for \b rather than boundary. FWIW, I keep thinking bell :) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: Stupid ebay trick
jdow wrote: And a detail here - Does a From test include all characters after the : or after the : ? That would change things, too. After the : From: Joe User [EMAIL PROTECTED] ^ The tested value starts at the first and ends at the final -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Stupid ebay trick
From: Chris [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
Chris wrote:
Matthew,
@ebay.com matches that doesn't it?
Yup, it sure does, but that's OK. The intent was to detect email messages
where:
1) From matches /\bebay\b/i
2) From DOES NOT MATCH /[EMAIL PROTECTED]/i
The fact that @ebay. matches /bebay\b/ is irrelevant.
Understood, but I don't see the point in being lax with that match.
Perhaps I ebay too much using the address [EMAIL PROTECTED] ;)
Let's see if I can amplify the intent.
The particular spam had a header line that looked like:
From: eBay [EMAIL PROTECTED]
This did not trigger any existing ebay.com spoof rules for the simple
reason that ebay.com does not appear.
So I posited a rule that would look for someone trying to call themselves
simply ebay with a purported real address as some other address.
I left things like From: Patricia K. Phoney [EMAIL PROTECTED] to
some other posited tool that involved normal whitelisting rules and
potential ebav type easy to overlook by eye spelling errors rules.
Making one omnibus rule is likely to lead to it being too prone to
false alarms or too easy to spoof. This rule I created is specific
and to the point.
(It also contained over 10 dollar signs on successive lines. None of
the proposed rules for that construct hit yet. I'd not want t use it
anyway. I do get used equipment lists from ham radio dealers I have
dealt with and want to get them. So this is simply an observation
not a begging for a rule on my part. {^_-})
{^_^}
Re: Stupid ebay trick
From: [EMAIL PROTECTED]
jdow wrote:
my head keeps thinking blank for \b rather than boundary.
FWIW, I keep thinking bell :)
Aw shucks, now you've screwed me up worse. Somehow I was
skipping over beep and bell in the search pattern. ARGH!
I'm ruined!
{O,o}
Re: Stupid ebay trick
Chris wrote: Understood, but I don't see the point in being lax with that match. Perhaps I ebay too much using the address [EMAIL PROTECTED] ;) Good point. Now that I think about it, just a few weeks ago I won an auction from someone who used an address similar to [EMAIL PROTECTED] That address wouldn't have triggered the rule, but I can think of some really innocuous addresses and names that would: [EMAIL PROTECTED] [EMAIL PROTECTED] (I forget, do numbers trigger word boundaries?) My Ebay Stuff [EMAIL PROTECTED] Ebay Account [EMAIL PROTECTED] Bob on eBay [EMAIL PROTECTED] -- Kelson Vibber SpeedGate Communications www.speed.net
RE: Stupid ebay trick
Kelson wrote: I forget, do numbers trigger word boundaries? No. Wordish things include: letters, numbers, and the underscore. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Stupid ebay trick
Kelson wrote: Chris wrote: Understood, but I don't see the point in being lax with that match. Perhaps I ebay too much using the address [EMAIL PROTECTED] ;) Good point. Now that I think about it, just a few weeks ago I won an auction from someone who used an address similar to [EMAIL PROTECTED] That address wouldn't have triggered the rule, but I can think of some really innocuous addresses and names that would: [EMAIL PROTECTED] [EMAIL PROTECTED] (I forget, do numbers trigger word boundaries?) My Ebay Stuff [EMAIL PROTECTED] Ebay Account [EMAIL PROTECTED] Bob on eBay [EMAIL PROTECTED] Ugh... I hit send too quickly. I meant to add: This should probably be tightened up more. Maybe something like: /^\s*[\\.]ebay[\\.]\s+\/i That would match only on strings that start out as ebay address ebay address .ebay. address and combinations thereof, with possible leading whitespace. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Stupid ebay trick
From: Kelson [EMAIL PROTECTED]
Chris wrote:
Understood, but I don't see the point in being lax with that match.
Perhaps I ebay too much using the address [EMAIL PROTECTED] ;)
Good point. Now that I think about it, just a few weeks ago I won an
auction from someone who used an address similar to
[EMAIL PROTECTED] That address wouldn't have triggered the rule,
but I can think of some really innocuous addresses and names that would:
[EMAIL PROTECTED]
[EMAIL PROTECTED] (I forget, do numbers trigger word boundaries?)
My Ebay Stuff [EMAIL PROTECTED]
Ebay Account [EMAIL PROTECTED]
Bob on eBay [EMAIL PROTECTED]
This is why I troll my spam folder rather than toss it. I even have a
trick for making this easy in cases involving really stupid people (or
the few cases that have REALLY annoyed me.) I give them a score of 100.
That (almost) always places these kind of false potential alarms at the
end of the spam sort list so I eventually catch them. (I search the two
ends, one for the chance hams that score as low spam - very rare here -
or the potential for someone triggering one of the really high rules for
the satisfaction obtained from nailing their asterisks. It'd also catch
such really stupid ebay sellers or buyers, too. I've posted the rewrite
rule I use to ensure the sorting (up to 999.9) before.)
{^_-}
Re: Stupid ebay trick
jdow said: snip Yup, it sure does, but that's OK. The intent was to detect email messages where: 1) From matches /\bebay\b/i 2) From DOES NOT MATCH /[EMAIL PROTECTED]/i The fact that @ebay. matches /bebay\b/ is irrelevant. Let's see if I can amplify the intent. The particular spam had a header line that looked like: From: eBay [EMAIL PROTECTED] This did not trigger any existing ebay.com spoof rules for the simple reason that ebay.com does not appear. This might be a simple way to limit where it looks.. header __TESTSAMPLE From:name =~ /\bebay\b/i header __TESTSAMPLE2 From:addr !~ /\bebay\b/i meta EBAYSPOOF __TESTSAMPLE __TESTSAMPLE2 Well something along those lines anyway. Cheers, matt
Re: Stupid ebay trick
From: Kelson [EMAIL PROTECTED]
Kelson wrote:
Chris wrote:
Understood, but I don't see the point in being lax with that match.
Perhaps I ebay too much using the address [EMAIL PROTECTED] ;)
Good point. Now that I think about it, just a few weeks ago I won an
auction from someone who used an address similar to
[EMAIL PROTECTED] That address wouldn't have triggered the rule,
but I can think of some really innocuous addresses and names that would:
[EMAIL PROTECTED]
[EMAIL PROTECTED] (I forget, do numbers trigger word boundaries?)
My Ebay Stuff [EMAIL PROTECTED]
Ebay Account [EMAIL PROTECTED]
Bob on eBay [EMAIL PROTECTED]
Ugh... I hit send too quickly. I meant to add:
This should probably be tightened up more. Maybe something like:
/^\s*[\\.]ebay[\\.]\s+\/i
That would match only on strings that start out as
ebay address
ebay address
.ebay. address
and combinations thereof, with possible leading whitespace.
I can hear a certain rule writer head on keyboard screaming NOOO!
if he has already posted the updated rule sets.
That is a reasonable idea. What OTHER dividing points might be used?
A specific would be @ebay\b for the name part of the field. Do some
MTAs still deliver if the From address has an offbeat name like that?
And does the name always have to be in quotes? (I don't think it does
so the other options are needed.)
(Actually I don't do a lot of ebay buying and so far no selling. So
what I do is check the email address to which I send the paypal
payment and make sure it is temporarily whitelisted. Then I watch
both my inbox and the spam box to make sure I catch the incoming
with a match to details of the auction in the subject.)
{^_-}
