Re: Elusive spam
LuKreme wrote: On 12-Aug-2009, at 21:09, Ted Mittelstaedt wrote: Furthermore, since you may want to munge more than 2 pieces of dissimilar data in a spam, your going to rapidly runout of "example.*". Further, example.com is only good for alpha data munging and is useless for numeric data munging, ie: IP addresses. You ignored example.org example.* matches to example.org as well as example.net, example.com, etc. Ted
Re: Elusive spam
On 12-Aug-2009, at 21:09, Ted Mittelstaedt wrote: Furthermore, since you may want to munge more than 2 pieces of dissimilar data in a spam, your going to rapidly runout of "example.*". Further, example.com is only good for alpha data munging and is useless for numeric data munging, ie: IP addresses. You ignored example.org -- Did they get you to trade your heroes for ghosts? Hot ashes for trees? Hot air for a cool breeze? Cold comfort for change?
Re: Elusive spam
- "John Hardin" wrote:
> On Wed, 2009-08-12 at 16:20 -0700, Ted Mittelstaedt wrote:
> > Maybe this will sound dumb but wouldn't it be perfectly
> > safe to blacklist "example.com" after all, that isn't a
> > domain your ever going to get mail from.
> >
> > Ted
>
> That is there because Alex likely wishes to keep his real domain
> private. Note that the envelope TO address is @example.com, which
> would
> never be delivered, unless Alex really _does_ own the example.com
> domain...
>
> > MySQL Student wrote:
> >
> > > I'm having trouble catching a particular type of spam, and hoped
> > > someone had some time to take a look:
> > >
> > > http://pastebin.com/d57336542
> > >
> > > It doesn't match RAZOR2, or any of the URI lists, and it's only
> > > BAYES_50. I have a pretty well-established BAYES db, so I'm
> surprised
> > > it's only BAYES_50. What can I do to block spam like this in the
> > > future?
> > >
> > > Thanks,
> > > Alex
>
> Alex, there's likely not much you can do. On a spam that short
> there's
> not a lot to work with.
>
> You could increase the score for URI_HEX.
>
> If the form of the URI is consistent, perhaps something like this
> would
> help:
>
> uri URI_NUMERIC_CCTLD m,^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/,i
>
> This is really suspicious:
>
> X-Mailer: Gentoo
>
> Gentoo is an OS, not a MUA. Is that at all consistent? If so:
>
> header GENTOO_MUA X-Mailer =~ /^Gentoo$/
>
> Or perhaps this:
>
> header MUA_ONE_WORD X-Mailer =~ /^[a-z]+$/i
>
> (all untested, sorry)
>
Alex,
Ran it through myself and got a pretty decent score so it seems to depend on
whether you are checking any of the other RBLs ?
Content analysis details: (20.0 points, 5.0 required)
pts rule name description
-- --
3.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL
[74.86.146.6 listed in b.barracudacentral.org]
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see ]
3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[74.86.146.6 listed in zen.spamhaus.org]
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[74.86.146.6 listed in dnsbl.sorbs.net]
2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: 888098.tk]
5.0 RCVD_IN_IVMSIP RBL: listed on ivmSIP found at invaluement.com
[74.86.146.6 listed in sip.invaluement.com]
4.0 URIBL_IVMURI Contains a URL listed on ivmURI found at
invaluement.com
[URIs: 888098.tk]
0.0 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
0.4 URI_HEXURI: URI hostname has long hexadecimal sequence
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4553]
Best Regards,
--
This message has been scanned for viruses and
dangerous content and is believed to be clean.
SplatNIX IT Services :: Innovation through collaboration
Re: Elusive spam
On Wed, 2009-08-12 at 16:20 -0700, Ted Mittelstaedt wrote:
> Maybe this will sound dumb but wouldn't it be perfectly
> safe to blacklist "example.com" after all, that isn't a
> domain your ever going to get mail from.
>
> Ted
That is there because Alex likely wishes to keep his real domain
private. Note that the envelope TO address is @example.com, which would
never be delivered, unless Alex really _does_ own the example.com
domain...
> MySQL Student wrote:
>
> > I'm having trouble catching a particular type of spam, and hoped
> > someone had some time to take a look:
> >
> > http://pastebin.com/d57336542
> >
> > It doesn't match RAZOR2, or any of the URI lists, and it's only
> > BAYES_50. I have a pretty well-established BAYES db, so I'm surprised
> > it's only BAYES_50. What can I do to block spam like this in the
> > future?
> >
> > Thanks,
> > Alex
Alex, there's likely not much you can do. On a spam that short there's
not a lot to work with.
You could increase the score for URI_HEX.
If the form of the URI is consistent, perhaps something like this would
help:
uri URI_NUMERIC_CCTLD m,^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/,i
This is really suspicious:
X-Mailer: Gentoo
Gentoo is an OS, not a MUA. Is that at all consistent? If so:
header GENTOO_MUA X-Mailer =~ /^Gentoo$/
Or perhaps this:
header MUA_ONE_WORD X-Mailer =~ /^[a-z]+$/i
(all untested, sorry)
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: Elusive spam
LuKreme wrote: On 12-Aug-2009, at 18:20, Ted Mittelstaedt wrote: s...@northpole.com becomes s...@example.com Here's how to do it RIGHT: s...@northpole.com becomes x...@xx.xxx No, example.com and example.org and example.net exist specifically for these sorts of uses. No, they don't. example.com and example.net are bona-fied, legitimate domains that are setup for use in textbooks, and online documents. They are resolvable in whois, etc. IANA even has a nice little webpage so if you go to them you get notified that your an idiot. The idea is that if a book author makes up their own bogus domain name, like foo.com, that eventually someone will register that and then will be bothered by people typing in examples from the book. However, spams by contrast are, by definition, NEVER legitimate pieces of documentation. A spammer could just as easily use example.com in an actual spam. He might even want to do this since example.com does, in fact, exist. It would certainly be better than just manufacturing a domain name that doesn't exist in a piece of spam. Thus, example.com IN A SPAM is NEVER an automatic indication that a munge has occurred. Unlike in a textbook example where "example.com" is ALWAYS an indication of a fake name. Thus, when "munging" an example spam post, it's critical to indicate WHAT was munged. If you use "example.com" in your munging, then because it's possible for a spammer to use example.com in a real piece of spam, you then have to go to the bother of adding text explaining that any appearance of example.com is a munge. Furthermore, since you may want to munge more than 2 pieces of dissimilar data in a spam, your going to rapidly runout of "example.*". Further, example.com is only good for alpha data munging and is useless for numeric data munging, ie: IP addresses. Since if your going to munge (for privacy) a domain name in a spam, it's idiotic to munge just the domain name and leave the IP address that domain name resolves to (since any fool can use nslookup plus your IP address to figure out what your trying to munge) you also have to munge any IP addresses that refer to that domain name, once more, example.com and friends offer no solution for this. x.x.x.x by contrast is the de-facto indicator in networking circles that "there be a TCP/IP address here" Now, it IS true that using , , and so on, should also require an explanation that =munge in your spam example, since a spammer might choose to use a fabricated domain name like .xxx. However, since most mailers (maybe all) lower-case domain names they get, (except in the To: field which is useless anyway) it's pretty obvious that .XXX is not a legitimate domain and the upper-case version would almost never appear in a Received line in a mail. (Well, at least, not by any normal mailers out there, I wouldn't put it past Microsoft to write a mailer that preserved case, one day in the future, they are so ass-backwards). Thus I'd consider an upper-cased fake domain name in a Received line in a spam the exception rather than the rule, here. I elected not to append this discussion to my original post since only hair-splitters like yourself would likely care. ;-) Most people would recognize the munge right off. Now, as for the possibility that .xxx might ever be a legitimate TLD, I call bullshit on that. The porno people have already floated the idea of registering .xxx as a TLD and been shot-down, by ICANN, THREE times so far, as it was rightly pointed out (the last time this was brought up) there's no way to force all the porno into .xxx TLDs, .xxx would merely serve to load the roots more with uselessly duplicated data to porno sites already existing. So, .xxx is most likely ALSO never going to be registered in the future. And if you want to argue that .yyy .zzz .aaa and so on may one day be registred as TLD's, well go ahead, although you might consider that no language in use on the Internet has any word or even slang that cooresponds with those. The closest might be possible future push to register .aaa just to be first in the phone books - but I think ICANN would see through this silliness and shoot it down same as .xxx was shot down. Ted
Re: Elusive spam
On 12-Aug-2009, at 18:20, Ted Mittelstaedt wrote: s...@northpole.com becomes s...@example.com Here's how to do it RIGHT: s...@northpole.com becomes x...@xx.xxx No, example.com and example.org and example.net exist specifically for these sorts of uses. -- Once again I teeter at the precipice of the generation gap.
Re: Elusive spam
Hi, > 50_scores.cf:score RCVD_IN_BL_SPAMCOP_NET 0 2.188 0 1.960 # n=0 n=2 > 50_scores.cf:score RCVD_IN_XBL 0 2.896 0 3.033 # n=0 n=2 > 70_relay_country.cf:score RELAYCOUNTRY_US 0.1 > 50_scores.cf:score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2 > 50_scores.cf:score BAYES_50 0 0 0.001 0.001 > 50_scores.cf:score URI_HEX 1.777 1.316 1.395 0.368 > 50_scores.cf:score DATE_IN_PAST_03_06 2.299 1.394 1.306 0.044 > > Something doesn't seem right. Am I adding them wrong? It sure seems to > equal more than 5.0. Is it possible the rules are being scored > differently in another location? It does look like the XBL scores may have been modified in another config file by a previous admin, ugh. Thanks, now I know. Thanks, Alex
Re: Elusive spam
Hi, > it hits spamhaus, and spamcop, what more do you want ? > > meta haus_cop (spamhaus && spamcop) > score haus_cop 5 X-Spam-Status: No, hits=4.8 tagged_above=-300.0 required=5.0 use_bayes=1 tests=BAYES_50, DATE_IN_PAST_03_06, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_SORBS_WEB, RCVD_IN_XBL, RELAYCOUNTRY_US, URI_HEX 50_scores.cf:score RCVD_IN_BL_SPAMCOP_NET 0 2.188 0 1.960 # n=0 n=2 50_scores.cf:score RCVD_IN_XBL 0 2.896 0 3.033 # n=0 n=2 70_relay_country.cf:score RELAYCOUNTRY_US 0.1 50_scores.cf:score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2 50_scores.cf:score BAYES_50 0 0 0.001 0.001 50_scores.cf:score URI_HEX 1.777 1.316 1.395 0.368 50_scores.cf:score DATE_IN_PAST_03_06 2.299 1.394 1.306 0.044 Something doesn't seem right. Am I adding them wrong? It sure seems to equal more than 5.0. Is it possible the rules are being scored differently in another location? The meta rule is a good one. I'll create that now. Thanks, Alex
Re: Elusive spam
On Wed, 12 Aug 2009 19:07:23 -0400 MySQL Student wrote: > Hi, > > I'm having trouble catching a particular type of spam, and hoped > someone had some time to take a look: > > http://pastebin.com/d57336542 > > It doesn't match RAZOR2, or any of the URI lists, and it's only > BAYES_50. I have a pretty well-established BAYES db, so I'm surprised > it's only BAYES_50. What can I do to block spam like this in the > future? It scored 6.0 for me, so either you've done some rescoring or RELAYCOUNTRY_US is scored at -1.2. Assigning a small negative score to a country from which you get most of your mail from is a good idea if it's a small country. I don't think it's justified for the US.
Re: Elusive spam
On Wed, 12 Aug 2009 20:22:13 -0400, MySQL Student wrote: > Just the domain was munged. Thanks for the info. I should have been > able to figure that out. it hits spamhaus, and spamcop, what more do you want ? meta haus_cop (spamhaus && spamcop) score haus_cop 5 :) -- Benny Pedersen
Re: Elusive spam
Hi, > Are we to make guesses on what else might be munged? > Is just example.com munged or the 172.0.0.1 also munged? Just the domain was munged. Thanks for the info. I should have been able to figure that out. Thanks, Alex
Re: Elusive spam
MySQL Student wrote: Hi, Maybe this will sound dumb but wouldn't it be perfectly safe to blacklist "example.com" after all, that isn't a domain your ever going to get mail from. I could be wrong, but I'm guessing the example.com is the OP's munging. Yes, that's correct. My apologies. Are we to make guesses on what else might be munged? Is just example.com munged or the 172.0.0.1 also munged? In the future when you munge, make it obvious. Here's how to do it WRONG: s...@northpole.com becomes s...@example.com 23.45.67.6 becomes 192.168.1.5 Here's how to do it RIGHT: s...@northpole.com becomes x...@xx.xxx 23.45.67.6 becomes X.X.X.X Also, if the same e-mail address or IP number appears multiple times in the mail, use the same munge char for it. If different ones appear, use , , , , and so on for each new successive item. It just makes it a lot easier on us when we have to tell you that your munging some critical piece of information we need to help you and that you need to un-munge if if you want any help. This way we don't have to guess as much. :-) Ted PS I suspected example.com was a munge but wasn't willing to assume it was - spammers can be pretty ingenious.
Re: Elusive spam
Hi, >> Maybe this will sound dumb but wouldn't it be perfectly >> safe to blacklist "example.com" after all, that isn't a >> domain your ever going to get mail from. > > I could be wrong, but I'm guessing the example.com is the OP's munging. Yes, that's correct. My apologies. Best, Alex
Re: Elusive spam
At 04:20 PM 8/12/2009, you wrote: Maybe this will sound dumb but wouldn't it be perfectly safe to blacklist "example.com" after all, that isn't a domain your ever going to get mail from. I could be wrong, but I'm guessing the example.com is the OP's munging.
Re: Elusive spam
Maybe this will sound dumb but wouldn't it be perfectly safe to blacklist "example.com" after all, that isn't a domain your ever going to get mail from. Ted MySQL Student wrote: Hi, I'm having trouble catching a particular type of spam, and hoped someone had some time to take a look: http://pastebin.com/d57336542 It doesn't match RAZOR2, or any of the URI lists, and it's only BAYES_50. I have a pretty well-established BAYES db, so I'm surprised it's only BAYES_50. What can I do to block spam like this in the future? Thanks, Alex
