subject:"Re\: Is this a new typoe of URI obfuscation\?"

Re: Is this a new typoe of URI obfuscation?

2012-06-12 Thread Martin Gregorie

On Wed, 2012-06-13 at 03:04 +0200, Wolfgang Zeikat wrote:
> On 2012-06-12 20:52, Martin Gregorie wrote:
> 
>  > so its probably worth treating .gg
>  > the same way as .cn and .ru, though for slightly different reasons.
> 
> Unless you're in .cn, .ru or vicinity or have correspondence partners 
> there, you may be right.
> 
I have about three correspondents in Russia, so a meta-rule along the
lines of

header __MG_RU1 From /\.(ru|su|cn)/
header __MG_RU2 From /(na...@isp1.ru || na...@isp2.ru || ...)/
meta   MG_RUSSPAM (__MG_RU1 && !__MG_RU2)
score  MG_RUSSPAM 5.0

works just fine for me. I don't need any exceptions for .su or .cn, but
as you say, ymmv.


Martin

Re: Is this a new typoe of URI obfuscation?

2012-06-12 Thread Wolfgang Zeikat


On 2012-06-12 20:52, Martin Gregorie wrote:

> so its probably worth treating .gg
> the same way as .cn and .ru, though for slightly different reasons.

Unless you're in .cn, .ru or vicinity or have correspondence partners 
there, you may be right.


wolfgang

Re: Is this a new typoe of URI obfuscation?

2012-06-12 Thread Martin Gregorie

On Tue, 2012-06-12 at 18:47 +0100, Stephane Chazelas wrote:
> 2012-06-12 16:36:44 +0100, Martin Gregorie:
> > Today I got a piece of spam carrying the URL chasovik.it.gg as its
> > payload. I was intrigued because I didn't think .gg was a valid tld and
> > looked it up with 'whois'. Sure enough, no match was found. However,
> > 'host' resolved it as 80.190.202.40 and a 'host' lookup on the IP
> > resolved to homepage-baukasten.de, which is known to 'whois'.
> [...]
> 
> You're not querying the right whois server
> 
> Try
> 
> whois -h whois.gg it.gg
> 
OK, and I see from the TLD list that .gg is another tart's TLD: unlike
many national TLDs, the registrants don't need any connection to Gurnsey
to own a URL under it, so its probably worth treating .gg the same way
as .cn and .ru, though for slightly different reasons.


Martin

Re: Is this a new typoe of URI obfuscation?

2012-06-12 Thread Stephane Chazelas

2012-06-12 16:36:44 +0100, Martin Gregorie:
> Today I got a piece of spam carrying the URL chasovik.it.gg as its
> payload. I was intrigued because I didn't think .gg was a valid tld and
> looked it up with 'whois'. Sure enough, no match was found. However,
> 'host' resolved it as 80.190.202.40 and a 'host' lookup on the IP
> resolved to homepage-baukasten.de, which is known to 'whois'.
[...]

You're not querying the right whois server

Try

whois -h whois.gg it.gg

-- 
Stephane

RE: Is this a new typoe of URI obfuscation?

2012-06-12 Thread si


> From: Martin Gregorie [mailto:mar...@gregorie.org] 
> Sent: 12 June 2012 16:37
> To: Spamassassin users list
> Subject: Is this a new typoe of URI obfuscation?
>
> Today I got a piece of spam carrying the URL chasovik.it.gg as its
> payload. I was intrigued because I didn't think .gg was a valid tld
and
> looked it up with 'whois'. Sure enough, no match was found. However,
> 'host' resolved it as 80.190.202.40 and a 'host' lookup on the IP
> resolved to homepage-baukasten.de, which is known to 'whois'.
>
> This is the first time I've seen this type of obfuscation. Has anybody
> else seen it? If so is it at all common, and how can it be set up
apart
> from using some form of DNS poisoning exploit?


> Martin

-


.gg is Guernsey ... it's definitely there ... I can see it out the
window :)

Re: Is this a new typoe of URI obfuscation?

2012-06-12 Thread Michael Scheidell


On 6/12/12 11:36 AM, Martin Gregorie wrote:

Today I got a piece of spam carrying the URL chasovik.it.gg as its
payload. I was intrigued because I didn't think .gg was a valid tld and
looked it up with 'whois'.
that just means that the tld provider is violating RFC's, no that the 
tld is invalid:


;; QUESTION SECTION:
;chasovik.it.gg.INA

;; ANSWER SECTION:
chasovik.it.gg.86387INA80.190.202.40

;; AUTHORITY SECTION:
it.gg.86386INNSns2.webme.com.
it.gg.86386INNSns1.webme.com.

;; ADDITIONAL SECTION:
ns1.webme.com.287INA62.116.130.62
ns2.webme.com.287INA62.116.162.62
and it is a valid tld:




--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

 * Best Mobile Solutions Product of 2011
 * Best Intrusion Prevention Product
 * Hot Company Finalist 2011
 * Best Email Security Product
 * Certified SNORT Integrator

__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com/
__

Re: Is this a new typoe of URI obfuscation?

2012-06-12 Thread David F. Skoll

On Tue, 12 Jun 2012 16:36:44 +0100
Martin Gregorie  wrote:

> Today I got a piece of spam carrying the URL chasovik.it.gg as its
> payload. I was intrigued because I didn't think .gg was a valid tld
> and looked it up with 'whois'. Sure enough, no match was found.

.gg is a valid TLD: http://en.wikipedia.org/wiki/.gg

$ host -t ns gg
gg name server f.ci-servers.gg.
gg name server a.ci-servers.net.
gg name server c.ci-servers.org.
gg name server d.ci-servers.je.
gg name server ns99.dns.net.nz.
gg name server b.ci-servers.org.
gg name server ns0.ja.net.

Regards,

David.

Re: Is this a new typoe of URI obfuscation?

Re: Is this a new typoe of URI obfuscation?

Re: Is this a new typoe of URI obfuscation?

Re: Is this a new typoe of URI obfuscation?

RE: Is this a new typoe of URI obfuscation?

Re: Is this a new typoe of URI obfuscation?

Re: Is this a new typoe of URI obfuscation?

7 matches

Site Navigation

Mail list logo

Footer information