Re: Yahoo single link spam

[Martin Gregorie]

On Thu, 2013-04-11 at 18:25 -0400, Alex wrote:
> Hi,
> 
> Recently I noticed that this rule was getting FPs from mail on a
> SourceForge-related mailing list that I thought should have
> nothing to
> do with Yahoo, so I added in another (obfuscated) rule. The
> combination
> now looks like this:
> 
> #
> # Yahoo message-ID but sender not Yahoo.
> #
> 
> describe MG_YAHOO_FS Yahoo message-ID, not From: yahoo or
> associates
> header   __MG_YAHFS1  Message-id =~ /\@.*yahoo\.com/
> header   __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/
> 
> header   __MG_YAHFS3 From =~ /talk21\.com/
> meta __MG_YAHFSM (__MG_YAHFS2 || __MG_YAHFS3)
> meta MG_YAHOO_FS (__MG_YAHFS1 && !__MG_YAHFSM)
> scoreMG_YAHOO_FS 50
> 
> 
> It looks like we also need to add rogers.com and bellsouth.net to the
> exclude list.
> 
Agreed. I've only seen FPs from talk21 so that's all that's included in
my version of the rule. 

To extend it, I'd suggest converting the regex in __MG_YAHFS3 into a
list of alternates because that should be faster and use less CPU than
adding single-shot rules and combining them with a extended version of
__MG_YAHFSM. I personally dislike writing any rule or subrule that
extends out of a 80 col text window, so if __MG_YAHFS3 extends too far
for that you can either add a set of similar subrules or take a deep
breath and use something like my portmanteau rule generator to build a
monster stand-alone rule and linking it in via __MG_YAHFSM.

The generator is here: http://www.libelle-systems.com/free/ and look for
the 'portmanteau' link. The generator lets you store the regex phases
etc in an easily edited form which is converted into an SA rule by a
bash shell script that uses an awk program to do the heavy lifting.

If I need to extend my version I'll probably start with no more than one
extra subrule, i.e. matching around 6-8 domains max and, if it extends
further, swap to using the portmanteau rule generator.


Martin

Re: Yahoo single link spam

[Alex]

Hi,

Recently I noticed that this rule was getting FPs from mail on a

> SourceForge-related mailing list that I thought should have nothing to
> do with Yahoo, so I added in another (obfuscated) rule. The combination
> now looks like this:
>
> #
> # Yahoo message-ID but sender not Yahoo.
> #
> describe MG_YAHOO_FS Yahoo message-ID, not From: yahoo or associates
> header   __MG_YAHFS1  Message-id =~ /\@.*yahoo\.com/
> header   __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/
> header   __MG_YAHFS3 From =~ /talk21\.com/
> meta __MG_YAHFSM (__MG_YAHFS2 || __MG_YAHFS3)
> meta MG_YAHOO_FS (__MG_YAHFS1 && !__MG_YAHFSM)
> scoreMG_YAHOO_FS 50
>

It looks like we also need to add rogers.com and bellsouth.net to the
exclude list.

Thanks again,
Alex

Re: Yahoo single link spam

[Noel]

On 4/10/2013 9:00 PM, Alex wrote:
> Hi,
>
> > Would someone put some samples of Yahoo single link spam on
> PasteBin.
>
>> > I am trying to test my rules and I seem to be missing
>> some of the variations.
>> >
>> Here's an example: it is the message I developed the
>> following rule
>> against: http://pastebin.com/VRvtDfER
>>
>> I've obfuscated all e-mail addresses in it and verified
>> that my rule
>> catches the obfuscated version.  The rule is this:
>>
>> describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo
>> header   __MG_YAHFS1 Message-id =~ /yahoo\.com>$/
>> header   __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/
>> meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2)
>> scoreMG_YAHOO_FS 50
>>
>>
>> Some time ago Martin posted his rules for blocking yahoo link
>> spam, and it's been working relatively well for my system.
>> However, I'm now noticing a number of FPs that are "From"
>> bellsouth.net  addresses but pass
>> through yahoo servers. They have DKIM and DomainKey
>> signatures from bellsouth, yet otherwise appear to have no
>> association with bellsouth.net .
>>
>> Is it just possible that bellsouth is using yahoo's servers?
>> If so, could there be other "affiliates" that use yahoo that
>> could also cause FPs?
>
> I can confirm that bellsouth uses yahoo mail services for at
> least some of their customer mail.  Legit @bellsouth.net
>  mail may arrive via a yahoo server.
>
>
> I looked at a handful of others that are in the quarantine, and
> there's also quite a bit of actual junk there as expected, not
> just FPs.
>
> So, I've lowered the score to something that should require at
> least a few other rules to trigger before it's considered spam. I
> think this is actually a better option than adding bellsouth.net
>  to the "From" header rule to categorically
> allow all bellsouth mail through. Even found one message with 67
> points, yikes!
>
> There are also a few with DKIM signature failures, yet DKIM_VALID
> is triggered:
>
> Authentication-Results: mail01.example.com
>  (amavisd-new); dkim=pass
> header.i=@bellsouth.net 
> Authentication-Results: mail01.example.com
>  (amavisd-new);
> domainkeys=softfail (fail, message has been altered)
> header.from=joepatfan...@bellsouth.net
> 
>
> Is this because it's only a softfail?

domainkeys is not DKIM.  Generally, domainkeys can be ignored.  See
wikipedia for more details.

My crystal ball suggests that domainkeys failed because some part of
the message not protected by DKIM was altered, such as a footer
being added, or a header mangled. 



  -- Noel Jones

Re: Yahoo single link spam

[Alex]

Hi,

> Would someone put some samples of Yahoo single link spam on PasteBin.

>  > I am trying to test my rules and I seem to be missing some of the
>> variations.
>> >
>>  Here's an example: it is the message I developed the following rule
>> against: http://pastebin.com/VRvtDfER
>>
>> I've obfuscated all e-mail addresses in it and verified that my rule
>> catches the obfuscated version.  The rule is this:
>>
>> describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo
>> header   __MG_YAHFS1 Message-id =~ /yahoo\.com>$/
>> header   __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/
>> meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2)
>> scoreMG_YAHOO_FS 50
>>
>
>  Some time ago Martin posted his rules for blocking yahoo link spam, and
> it's been working relatively well for my system. However, I'm now noticing
> a number of FPs that are "From" bellsouth.net addresses but pass through
> yahoo servers. They have DKIM and DomainKey signatures from bellsouth, yet
> otherwise appear to have no association with bellsouth.net.
>
> Is it just possible that bellsouth is using yahoo's servers? If so, could
> there be other "affiliates" that use yahoo that could also cause FPs?
>
>
> I can confirm that bellsouth uses yahoo mail services for at least some of
> their customer mail.  Legit @bellsouth.net mail may arrive via a yahoo
> server.
>

I looked at a handful of others that are in the quarantine, and there's
also quite a bit of actual junk there as expected, not just FPs.

So, I've lowered the score to something that should require at least a few
other rules to trigger before it's considered spam. I think this is
actually a better option than adding bellsouth.net to the "From" header
rule to categorically allow all bellsouth mail through. Even found one
message with 67 points, yikes!

There are also a few with DKIM signature failures, yet DKIM_VALID is
triggered:

Authentication-Results: mail01.example.com (amavisd-new); dkim=pass
header.i=@bellsouth.net
Authentication-Results: mail01.example.com (amavisd-new);
domainkeys=softfail (fail, message has been altered)
header.from=joepatfan...@bellsouth.net

Is this because it's only a softfail?

Out of the 85 or so in the quarantine that contain MG_YAHOO_FS, only about
8 have "From" as bellsouth, and about half of them have the DKIM softfail.

Thanks,
Alex

Re: Yahoo single link spam

[Noel]

On 4/10/2013 7:42 PM, Alex wrote:
> Hi,
>
> > Would someone put some samples of Yahoo single link spam on
> PasteBin.
>
> > I am trying to test my rules and I seem to be missing some
> of the variations.
> >
> Here's an example: it is the message I developed the following
> rule
> against: http://pastebin.com/VRvtDfER
>
> I've obfuscated all e-mail addresses in it and verified that
> my rule
> catches the obfuscated version.  The rule is this:
>
> describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo
> header   __MG_YAHFS1 Message-id =~ /yahoo\.com>$/
> header   __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/
> meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2)
> scoreMG_YAHOO_FS 50
>
>
> Some time ago Martin posted his rules for blocking yahoo link
> spam, and it's been working relatively well for my system.
> However, I'm now noticing a number of FPs that are "From"
> bellsouth.net  addresses but pass through
> yahoo servers. They have DKIM and DomainKey signatures from
> bellsouth, yet otherwise appear to have no association with
> bellsouth.net .
>
> Is it just possible that bellsouth is using yahoo's servers? If
> so, could there be other "affiliates" that use yahoo that could
> also cause FPs?

I can confirm that bellsouth uses yahoo mail services for at least
some of their customer mail.  Legit @bellsouth.net mail may arrive
via a yahoo server.


>
> What would you suggest fixing the FPs in terms of this rule? Just
> add bellsouth.net  to the "From" header check?

Looks like that should fix it.  I suppose I'm fortunate that these
haven't been much problem here, so I don't use this.



  -- Noel Jones

Re: Yahoo single link spam

[Alex]

Hi,

> Would someone put some samples of Yahoo single link spam on PasteBin.

> > I am trying to test my rules and I seem to be missing some of the
> variations.
> >
> Here's an example: it is the message I developed the following rule
> against: http://pastebin.com/VRvtDfER
>
> I've obfuscated all e-mail addresses in it and verified that my rule
> catches the obfuscated version.  The rule is this:
>
> describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo
> header   __MG_YAHFS1 Message-id =~ /yahoo\.com>$/
> header   __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/
> meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2)
> scoreMG_YAHOO_FS 50
>

Some time ago Martin posted his rules for blocking yahoo link spam, and
it's been working relatively well for my system. However, I'm now noticing
a number of FPs that are "From" bellsouth.net addresses but pass through
yahoo servers. They have DKIM and DomainKey signatures from bellsouth, yet
otherwise appear to have no association with bellsouth.net.

Is it just possible that bellsouth is using yahoo's servers? If so, could
there be other "affiliates" that use yahoo that could also cause FPs?

What would you suggest fixing the FPs in terms of this rule? Just add
bellsouth.net to the "From" header check?

Are people still seeing yahoo link spam, and are you using this rule to
block them?

I'm still seeing a bit of spam with only a link in the body with v3.3.2
that I can't block. I'd appreciate any input someone might have to help
with this until I can upgrade to a 3.4 snapshot.

Thanks,
Alex

Re: Yahoo single link spam

[Kevin A. McGrail]

On 3/19/2013 4:54 PM, Alex wrote:

I know Kevin posted some rules, but they are no longer effective, as
they rely on fixed subjects or sender names.
My rules are metas where some of the fixed subjects were useful. The 
sender names were just internal.  However, I find the rules to be very 
effective so I don't see a lot of these hence I don't work on it much 
more.  My rules do rely on features in SA3.4 trunk.


Regards,
KAM

Re: Yahoo single link spam

[Alex]

Hi,

> We need a rule to catch this. It looks like more data than it is but it's
> really little more than a single link. Like to see a rule that identifies
> it.
>
> ---262101065-1882747875-1361559395=:62570
> Content-Type: text/plain; charset=us-ascii
>
>  http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemh
>
> Lisa Tostado, ND

I was just wondering if there has been any progress on blocking these
yahoo single-link spams? Would SA v3.4 be any more effective?

I've written a few metas, but they're still coming through, and
thought I might have missed some efforts people have made to block
them?

I know Kevin posted some rules, but they are no longer effective, as
they rely on fixed subjects or sender names.

Most already hit BAYES_99, and I've also trained hundreds of other FNs.

I have plenty of samples if necessary.
Thanks,
Alex

Re: [sa-list] Re: Yahoo single link spam

[Kevin A. McGrail]

On 3/10/2013 3:37 PM, Dan Mahoney, System Admin wrote:



Here's the current version I'm using based on 3.4.0 trunk:

#YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE 
COMPROMISED ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE
header  __KAM_YAHOO1From =~ 
/\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header  __KAM_YAHOO2Subject =~ /^(FOR |Hey$|hi$|look at 
this$|great!?$|amazing!?|the best!?$|excellent!?$|very 
good!?$|great!?$)/
body__KAM_YAHOO3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} 
\d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/

header  __KAM_YAHOO4From:name =~ /Connor Hopkins/i

metaKAM_YAHOO   (__KAM_YAHOO1 + __KAM_YAHOO2 + 
__KAM_YAHOO3 + __KAM_YAHOO4 + __KAM_BODY_LENGTH_LT_128 + 
MISSING_SUBJECT >= 3)

describeKAM_YAHOO   Compromised Yahoo! Accounts Sending Spam
score   KAM_YAHOO   9.0


Just to add a late reply to the game, I'm still getting these. Kevin, 
it looks like your rules YAHOO1 and YAHOO3 are still appropriate, but 
neither of the others.

Perhaps.  Feel free to modify for your copora.
I think there's a few other things I've noticed that I don't know how 
to match:


the body doesn't "contain" the link, it pretty much "IS" the link. 
However, I don't know how to write a rule that says "contains a link 
and NOTHING ELSE". 
I don't know that we have that and my corpora show that isn't always the 
case.  I used the body length check for this scenario but perhaps a new 
eval of body length minus URI's?  Thoughts?
I also don't know how to write rules that say "the text/plain portion 
contains a link, and the text/html portion contains more".  I'm not 
aware of how "body" gets interpreted in multipart/alternative 
messages.  Kevin, if you're able to tell me more about this, I'm happy 
to learn.
I don't know a way to do that either. It might exist or it might need an 
eval custom rule but I usually expect text and html versions to be 
different so i don't think this would be a likely Spam indicator.


Writing rules is easy for some, but I'm more about solving the 
problem. The answer isn't "many people write many custom rulesets", 
it's "surbl catches up faster" or "yahoo acknowledges the problem."


Yahoo's procedures are very questionable. I typically send 5-10 YOUR 
EMAIL ADDRESS IS COMPROMISED AND SENDING SPAM, CHANGE YOUR PASSWORD, 
emails a week if not more.  And this has been going on for a good number 
of months.
While yahoo's abuse reporting procedures leave much to be desired, 
this is actually one of the reasons I was asking about a channel to 
autoreport mail to spamcop (and yahoo, if they were willing to take 
it, but they don't seem to be -- blog post coming on that, soon).


Good idea.

Regards,
KAM

Re: [sa-list] Re: Yahoo single link spam

[Dan Mahoney, System Admin]

On Fri, 22 Feb 2013, Kevin A. McGrail wrote:


On 2/22/2013 3:27 PM, David F. Skoll wrote:

On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel  wrote:


We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.

Our product lets you make compound rules.  It should not be very hard
to translate this to SpamAssassin:

HeaderMatches RegExp   ^To:(.*?@.*?){5}   AND
Envelope Sender   Ends with@yahoo.com AND
MessageSize   <6000

Well, ok... the MessageSize condition is tricky.  And this rule does
kick up some false-positives, but overall it works pretty well for us.


Here's the current version I'm using based on 3.4.0 trunk:

#YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE COMPROMISED 
ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE
header  __KAM_YAHOO1From =~ 
/\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header  __KAM_YAHOO2Subject =~ /^(FOR |Hey$|hi$|look at 
this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$)/
body__KAM_YAHOO3/\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} 
\d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/

header  __KAM_YAHOO4From:name =~ /Connor Hopkins/i

metaKAM_YAHOO   (__KAM_YAHOO1 + __KAM_YAHOO2 + __KAM_YAHOO3 + 
__KAM_YAHOO4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT >= 3)

describeKAM_YAHOO   Compromised Yahoo! Accounts Sending Spam
score   KAM_YAHOO   9.0


Just to add a late reply to the game, I'm still getting these.  Kevin, it 
looks like your rules YAHOO1 and YAHOO3 are still appropriate, but neither 
of the others.  I think there's a few other things I've noticed that I 
don't know how to match:


the body doesn't "contain" the link, it pretty much "IS" the link. 
However, I don't know how to write a rule that says "contains a link and 
NOTHING ELSE".  I also don't know how to write rules that say "the 
text/plain portion contains a link, and the text/html portion contains 
more".  I'm not aware of how "body" gets interpreted in 
multipart/alternative messages.  Kevin, if you're able to tell me more 
about this, I'm happy to learn.


Writing rules is easy for some, but I'm more about solving the problem. 
The answer isn't "many people write many custom rulesets", it's "surbl 
catches up faster" or "yahoo acknowledges the problem."


While yahoo's abuse reporting procedures leave much to be desired, this is 
actually one of the reasons I was asking about a channel to autoreport 
mail to spamcop (and yahoo, if they were willing to take it, but they 
don't seem to be -- blog post coming on that, soon).


-Dan

--

"One...plus two...plus one...plus one."

-Tim Curry, Clue

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: Yahoo single-link spam common elements

[Alex]

Hi,

>>> header   __RP_D_00040_1 From:addr =~ /yahoo/i
>>> header   __RP_D_00040_2 To =~ /(:?@.*?){5}/
>>> body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
>>> meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
>>> describe RP_D_00040 Yahoo single-line URL spam
>>
>>
>> I'm seeing variations on this that aren't being caught, and I hoped
>> someone could help. I've pasted my example here:
>>
>> http://pastebin.com/ijb0PSep
>>
>> There are more than five recipients, and despite changing it higher,
>> it still doesn't work. The URL in my example is:
>>
>> http-://www.mahmut64.com/nkewyzvy/3yvbqe0s7nab8dyg7udx5k.ki?fq98xcccm
>>
>> (remove the initial dash)
>>
>> I can't figure out how the above URL differs from some of the others
>> that have been caught, such as:
>> http-://www.misbusquedas.com/armn/sac2c9s6ar1azb1hij1r8a.zyy?x1sy9d9zj06u
>
> The number in the domain name?

I misinterpreted how the rule actually works. Viewing in alpine
doesn't show the name and date, ala "2/27/2013 6:58:01" afterwards.
Now I understand the \d and colons.

My new example just has a bunch of crap afterwards, like:

http-://www.magickspellcraft.com/ddazfep/9tzbvn.jgbm36vlon?vl1j7qpfx0lb5rsnbntm
jwugzcv zwsymhxir.
vsd/

ysvmwtcvp jodij.
vsd/

Alex

Re: Yahoo single-link spam common elements

[John Hardin]

On Sun, 3 Mar 2013, Alex wrote:


Hi,


My latest attempt is this:

header   __RP_D_00040_1 From:addr =~ /yahoo/i
header   __RP_D_00040_2 To =~ /(:?@.*?){5}/
body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
describe RP_D_00040 Yahoo single-line URL spam


I'm seeing variations on this that aren't being caught, and I hoped
someone could help. I've pasted my example here:

http://pastebin.com/ijb0PSep

There are more than five recipients, and despite changing it higher,
it still doesn't work. The URL in my example is:

http-://www.mahmut64.com/nkewyzvy/3yvbqe0s7nab8dyg7udx5k.ki?fq98xcccm

(remove the initial dash)

I can't figure out how the above URL differs from some of the others
that have been caught, such as:
http-://www.misbusquedas.com/armn/sac2c9s6ar1azb1hij1r8a.zyy?x1sy9d9zj06u


The number in the domain name?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Failure to plan ahead on someone else's part does not constitute
  an emergency on my part. -- David W. Barts in a.s.r
---
 7 days until Daylight Saving Time begins in U.S. - Spring Forward

Re: Yahoo single-link spam common elements

[Alex]

Hi,

> My latest attempt is this:
>
> header   __RP_D_00040_1 From:addr =~ /yahoo/i
> header   __RP_D_00040_2 To =~ /(:?@.*?){5}/
> body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
> meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
> describe RP_D_00040 Yahoo single-line URL spam

I'm seeing variations on this that aren't being caught, and I hoped
someone could help. I've pasted my example here:

http://pastebin.com/ijb0PSep

There are more than five recipients, and despite changing it higher,
it still doesn't work. The URL in my example is:

http-://www.mahmut64.com/nkewyzvy/3yvbqe0s7nab8dyg7udx5k.ki?fq98xcccm

(remove the initial dash)

I can't figure out how the above URL differs from some of the others
that have been caught, such as:
http-://www.misbusquedas.com/armn/sac2c9s6ar1azb1hij1r8a.zyy?x1sy9d9zj06u

Thanks,
Alex

Re: Yahoo single-link spam common elements

[Niamh Holding]

Hello David,

Friday, March 1, 2013, 5:43:37 PM, you wrote:

DFS> Can others confirm this pattern?

No.

URL in yesterday's is  http://b23144.s3-website-ap-northeast-1.amazonaws.com

-- 
Best regards,
 Niamhmailto:ni...@fullbore.co.uk

pgpdNMFoMBvjX.pgp
Description: PGP signature

Re: Yahoo single link spam

[Niamh Holding]

Hello David,

Friday, March 1, 2013, 5:33:55 PM, you wrote:

DFS> are people still seeing these Yahoo single-link spams?

Got one yesterday

-- 
Best regards,
 Niamhmailto:ni...@fullbore.co.uk

pgpXCZ6plj3t7.pgp
Description: PGP signature

Re: Yahoo single-link spam common elements

[John Hardin]

On Sat, 2 Mar 2013, Ned Slider wrote:


On 02/03/13 01:40, John Hardin wrote:

 On Sat, 2 Mar 2013, Ned Slider wrote:
> 
>  header   __MANY_RECIPS  ToCc =~ /(?:\@[^@]{5,30}){3}/
> 
>  Can someone explain the regex and why it fails to fire for 7 recipients?


 If the username + domain name + inter-address punctuation is longer than
 30 chars it won't work.

 I don't see a good reason for the upper limit, or at least for one that
 restrictive. The To and Cc headers aren't going to be unboundedly long.


Thanks John (and others).

Yes, the limit of 30 looks too small. I just created a local rule upping the 
limit to 100 and it now fires as expected.


John - can we increase the limit?


Upped to 100. I was going to suggest something smaller, but realized that 
includes the user-visible-name part. 100 may not be enough given things 
like encoded UTF-8 display names, but this will improve things.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  So Microsoft's invented the ASCII equivalent to ugly ink spots that
  appear on your letter when your pen is malfunctioning.
 -- Greg Andrews, about Microsoft's way to encode apostrophes
---
 12 days until Albert Einstein's 134th Birthday

Re: Yahoo single-link spam common elements

[John Hardin]

On Sat, 2 Mar 2013, Wolfgang Zeikat wrote:


In an older episode, on 2013-03-02 02:40, John Hardin wrote:

> 
>  header   __MANY_RECIPS  ToCc =~ /(?:\@[^@]{5,30}){3}/
> 
>  Can someone explain the regex and why it fails to fire for 7 recipients?


 (@, followed by 5-30 non-@ characters) repeated three times.


Does that mean the same sequence of (@, followed by 5-30 non-@ characters), 
repeated 3 times?


The *same* sequence, no. Matching a repeating specific sequence would 
involve capturing the match (using parens without the ?:) and 
backreferences to refer to the capruted match later in the RE; it would 
look something like:


  /(\@[^@]{5,30})\1{2}/

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  So Microsoft's invented the ASCII equivalent to ugly ink spots that
  appear on your letter when your pen is malfunctioning.
 -- Greg Andrews, about Microsoft's way to encode apostrophes
---
 12 days until Albert Einstein's 134th Birthday

Re: Yahoo single-link spam common elements

[Wolfgang Zeikat]

In an older episode, on 2013-03-02 02:40, John Hardin wrote:



header   __MANY_RECIPS  ToCc =~ /(?:\@[^@]{5,30}){3}/

Can someone explain the regex and why it fails to fire for 7 recipients?


(@, followed by 5-30 non-@ characters) repeated three times.


Does that mean the same sequence of (@, followed by 5-30 non-@ 
characters), repeated 3 times?


I wasn't sure about that earlier.

Regards,

wolfgang

Re: Yahoo single-link spam common elements

[Ned Slider]

On 02/03/13 01:40, John Hardin wrote:

On Sat, 2 Mar 2013, Ned Slider wrote:


On 01/03/13 19:55, Alexandre Boyer wrote:

 The famous 5 recipients...

 I had a (very) few exceptions while having the very same pattern in
 body. With 4 recipients instead of 5, and sometimes one among the 5
with
 no To:address, just To:name, wich was harder to count...

 I removed the similar rule as your __RP_D_00040 from my systems to
avoid
 false negatives.

 And no FP for a long time on this rule (this is an old bot, first saw
 last summer, but probably older but unnoticed).



The example I posted earlier today had 7 recipients listed in To:
(sorry, I redacted them).

Rather than using a rule specifically for 5 recipients, I would use
the existing  __MANY_RECIPS rule in the meta rule.

That said, I just checked my example, and __MANY_RECIPS failed to
fire. Here's the current rule:

header   __MANY_RECIPS  ToCc =~ /(?:\@[^@]{5,30}){3}/

Can someone explain the regex and why it fails to fire for 7 recipients?


(@, followed by 5-30 non-@ characters) repeated three times.

If the username + domain name + inter-address punctuation is longer than
30 chars it won't work.

I don't see a good reason for the upper limit, or at least for one that
restrictive. The To and Cc headers aren't going to be unboundedly long.



Thanks John (and others).

Yes, the limit of 30 looks too small. I just created a local rule upping 
the limit to 100 and it now fires as expected.


John - can we increase the limit?

Re: Yahoo single-link spam common elements

[Martin Gregorie]

On Sat, 2013-03-02 at 01:11 +, Ned Slider wrote:
> That said, I just checked my example, and __MANY_RECIPS failed to fire. 
> Here's the current rule:
> 
> header   __MANY_RECIPS  ToCc =~ /(?:\@[^@]{5,30}){3}/
> 
> Can someone explain the regex and why it fails to fire for 7 recipients?
> 
Is the limit of 30 ^@ characters enough?

Martin

Re: Yahoo single-link spam common elements

[John Hardin]

On Sat, 2 Mar 2013, Ned Slider wrote:


On 01/03/13 19:55, Alexandre Boyer wrote:

 The famous 5 recipients...

 I had a (very) few exceptions while having the very same pattern in
 body. With 4 recipients instead of 5, and sometimes one among the 5 with
 no To:address, just To:name, wich was harder to count...

 I removed the similar rule as your __RP_D_00040 from my systems to avoid
 false negatives.

 And no FP for a long time on this rule (this is an old bot, first saw
 last summer, but probably older but unnoticed).



The example I posted earlier today had 7 recipients listed in To: (sorry, I 
redacted them).


Rather than using a rule specifically for 5 recipients, I would use the 
existing  __MANY_RECIPS rule in the meta rule.


That said, I just checked my example, and __MANY_RECIPS failed to fire. 
Here's the current rule:


header   __MANY_RECIPS  ToCc =~ /(?:\@[^@]{5,30}){3}/

Can someone explain the regex and why it fails to fire for 7 recipients?


(@, followed by 5-30 non-@ characters) repeated three times.

If the username + domain name + inter-address punctuation is longer than 
30 chars it won't work.


I don't see a good reason for the upper limit, or at least for one that 
restrictive. The To and Cc headers aren't going to be unboundedly long.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #6: If you can choose what to bring to a
  gunfight, bring a long gun and a friend with a long gun.
---
 12 days until Albert Einstein's 134th Birthday

Re: Yahoo single-link spam common elements

[Wolfgang Zeikat]

In an older episode, on 2013-03-02 02:19, Benny Pedersen wrote:

Ned Slider skrev den 2013-03-02 02:11:


header   __MANY_RECIPS  ToCc =~ /(?:\@[^@]{5,30}){3}/

Can someone explain the regex and why it fails to fire for 7 recipients?


as i read it, it fires if there is more then 4 domains, not only 5 
recipients, just a wild guess from me since i am not good at perl yet


At least 3 domains rather. IMHO, the regexp means:
{3} repetitions of (@ followed by 5 to 30 characters that are _not_ @)

Hope this helps.

Cheers,

wolfgang

Re: Yahoo single-link spam common elements

[Benny Pedersen]

Ned Slider skrev den 2013-03-02 02:11:


header   __MANY_RECIPS  ToCc =~ /(?:\@[^@]{5,30}){3}/

Can someone explain the regex and why it fails to fire for 7 
recipients?


as i read it, it fires if there is more then 4 domains, not only 5 
recipients, just a wild guess from me since i am not good at perl yet

Re: Yahoo single-link spam common elements

[Ned Slider]

On 01/03/13 19:55, Alexandre Boyer wrote:

The famous 5 recipients...

I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...

I removed the similar rule as your __RP_D_00040 from my systems to avoid
false negatives.

And no FP for a long time on this rule (this is an old bot, first saw
last summer, but probably older but unnoticed).



The example I posted earlier today had 7 recipients listed in To: 
(sorry, I redacted them).


Rather than using a rule specifically for 5 recipients, I would use the 
existing  __MANY_RECIPS rule in the meta rule.


That said, I just checked my example, and __MANY_RECIPS failed to fire. 
Here's the current rule:


header   __MANY_RECIPS  ToCc =~ /(?:\@[^@]{5,30}){3}/

Can someone explain the regex and why it fails to fire for 7 recipients?

Re: Yahoo single-link spam common elements

[Alexandre Boyer]

The famous 5 recipients...

I had a (very) few exceptions while having the very same pattern in
body. With 4 recipients instead of 5, and sometimes one among the 5 with
no To:address, just To:name, wich was harder to count...

I removed the similar rule as your __RP_D_00040 from my systems to avoid
false negatives.

And no FP for a long time on this rule (this is an old bot, first saw
last summer, but probably older but unnoticed).

Alex, from prypiat.
Yes, I recycle.


On 13-03-01 02:45 PM, David F. Skoll wrote:
> On Fri, 01 Mar 2013 14:39:09 -0500
> Alexandre Boyer  wrote:
>
>> Pretty the same as what David suggests :-)
> My latest attempt is this:
>
> header   __RP_D_00040_1 From:addr =~ /yahoo/i
> header   __RP_D_00040_2 To =~ /(:?@.*?){5}/
> body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
> meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
> describe RP_D_00040 Yahoo single-line URL spam
>
> I'm a little worried about potential FPs, but we'll see how it goes.
>
> Regards,
>
> David.



signature.asc
Description: OpenPGP digital signature

Re: Yahoo single-link spam common elements

[David F. Skoll]

On Fri, 01 Mar 2013 14:39:09 -0500
Alexandre Boyer  wrote:

> Pretty the same as what David suggests :-)

My latest attempt is this:

header   __RP_D_00040_1 From:addr =~ /yahoo/i
header   __RP_D_00040_2 To =~ /(:?@.*?){5}/
body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
describe RP_D_00040 Yahoo single-line URL spam

I'm a little worried about potential FPs, but we'll see how it goes.

Regards,

David.

Re: Yahoo single-link spam common elements

[Alexandre Boyer]

Right: the suggested pattern is working great, but there are some
variants as KAM says.

However I sense that these are not the same bots. The one with the "date
in body" is always the same (the spammer only changed the date format).

I heard about a cross site botnet exploit on Yahoo! and third party
website, but did not digged into that.

Here is what is working fine for me:

body __AJB_DATE_IN_BODY   
m'\d{1,2}/\d{1,2}/\d{4}\s(\d{1,2}:){2}\d{2} [AP]M'
uri __AJB_RANDOMURI  

m'/[a-z]{2,10}/[a-z1-9]{1,30}(\.[a-z1-9]{1,10}\?[a-z1-9]{1,30}|[\=\&][a-z1-9]{1,30})'
metaAJB_YAHOO_BOT AJB_REALYAHOO && HTML_MESSAGE &&
__AJB_DATE_IN_BODY && __AJB_RANDOMURI
score   AJB_YAHOO_BOT 10.0
meta AJB_REALYAHOO __AJB_FROM_YAHOO && __RCVD_YAHOO
header __AJB_FROM_YAHOO  From:addr =~ /\@yahoo\.c(a|om)/i
header __RCVD_YAHOO Received =~ m'\.yahoo\.c(a|om) .+ by
\S+\.zerospam\.ca'm


Pretty the same as what David suggests :-)

Also noticed that the To:, Reply-To: headers and the name in the
signature in the body matches. Wanted to code a plugin but the previous
rules are doing the job so...

Alex, from prypiat.
Yes, I recycle.


On 13-03-01 12:49 PM, Kevin A. McGrail wrote:
> On 3/1/2013 12:43 PM, David F. Skoll wrote:
>> These are the common elements as far as I can see in the text/plain part
>> of the spam:
>>
>> 1) The URL always matches this regex:
>>
>> http://\S+/\S+\.\s+\?
>>
>> In other words, there's always a dot in the URL (not counting the dots
>> in the domain name itself) and a question mark.
>>
>> 2) The URL is then followed by possible whitespace and the name or
>> address
>> of the sender.
>>
>> 3) This is followed by more possible whitespace and then the date and
>> time in a format that matches this regex:
>>
>>\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2} [AP]M
>>
>> Can others confirm this pattern?
> I can confirm this is ONE of the patterns we've seen but we have seen
> other variations.
>
> For example, here's one from yesterday that you'll note forges my
> brother as the sender:
>
> Return-Path: 
> Received: from nm7.bullet.mail.gq1.yahoo.com
> (nm7.bullet.mail.gq1.yahoo.com [98.136.218.72])
> by intel1.peregrinehw.com (8.14.5/8.14.5) with SMTP id r1SI2WHg008621
> for ; Thu, 28 Feb 2013 13:02:33 -0500
> Received: from [98.137.12.61] by nm7.bullet.mail.gq1.yahoo.com with
> NNFMP; 28 Feb 2013 18:02:31 -
> Received: from [208.71.42.212] by tm6.bullet.mail.gq1.yahoo.com with
> NNFMP; 28 Feb 2013 18:02:31 -
> Received: from [127.0.0.1] by smtp223.mail.gq1.yahoo.com with NNFMP;
> 28 Feb 2013 18:02:31 -
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com;
> s=s1024; t=1362074551;
> bh=O2aFzcTOvDvCQALZoONOlZmCJiqlFu6WnhUAJG1clGI=;
> h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:From:Reply-To:Subject:Date:To;
> b=5sIC6wpAChfKFdhlWmr4OhjWCpNoMhTdxsbWPAIXYyD3f+O4QKMatwXxL7uvHeFc5TD//q4hW0HQDVJ+f/XJq71XHuBeWLySuYceP9ZP5gMRMnAR8uM9o9rWw0vnwSd7+3H3ff1rCd2FunGswYwlNAG5yz79uYE7xe+sXw5qs3c=
>
> X-Yahoo-Newman-Id: 533489.47072...@smtp223.mail.gq1.yahoo.com
> Message-ID: <533489.47072...@smtp223.mail.gq1.yahoo.com>
> X-Yahoo-Newman-Property: ymail-3
> X-YMail-OSG: jRlM9PUVM1m1fvPhWPzSnQEReLcFyK.eiCoVEK16XkMJTsp
>  FUuOvETyd8ee4KmT2FuoE1n9krae3pEbGP2MbvtNXR6sdYnhJIxvfdiuEtob
>  wr1ipSssPLDugG_B3KfoWpLJZs0YjG5TMqqVzDGih3D11pGQfAY6w.mgoOWY
>  Vemeo4DqHYY8XYokWdUpIh65s1dDZlNaYvlqfF1MZudo2pV6wlPm_rMDWHvP
>  DNawGoHaZr3qyELnp7ElYqt8BCCs0hushH3dTtn.mVpUMrTv3GzPnkMMGCvR
>  O9U8mO_UIFwTMrWvkkzLcMKqdKdukq8.cPSh8VY5TRg_Xih7mDsVxksEIVcE
>  OCOEMbBw9uApP4oRpc.pBlu9eDntaPpiUUPhpb9xxkQw4lcLJkx0RTt0GYD3
>  uAMLNtukwnvce54PkLZl3JrIDGhvQuhKnZxYyRsne49aNjP11_3wZUo8wlvg
>  guHiLuHcqkFb6lusTYz41fCHrSJ6VTYxwqlQcA0DioWPWPDZmkjLtrc2aER1
>  MbKjYki6ceeLXQT21DGdb9Gui.eE43RA2Ix6qqTYRddM-
> X-Yahoo-SMTP: bHYtILuswBDzs9L.FhYpFEHr7NQ0kndD9GjKbx8-
> Received: from localhost (rasiel_mongado29@200.121.59.161 with login)
> by smtp223.mail.gq1.yahoo.com with SMTP; 28 Feb 2013 10:02:31
> -0800 PST
> From: TOBY MCGRAIL 
> Reply-To: TOBY MCGRAIL 
> Subject: KEVIN
> Date: Thu, 28 Feb 2013 10:05:47 -0800 (PST)
> To: Kevin 
>
> kevin, hey. look what I found!   
> http://www.deguciumd-munged.lt/answerbabykevingreen/
>
>
> regards,
> KAM


signature.asc
Description: OpenPGP digital signature

Re: Yahoo single link spam

[Ned Slider]

On 01/03/13 17:33, David F. Skoll wrote:

Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.

Regards,

David.



Here's one from this morning:

http://pastebin.com/cuk595z6

that matches the pattern being discussed.

Re: Yahoo single link spam

[Martin Gregorie]

On Fri, 2013-03-01 at 12:33 -0500, David F. Skoll wrote:
> Somewhat OT... are people still seeing these Yahoo single-link spams?
> They seem to have stopped abruptly as far as I can tell.
> 
I haven't seen one for a few days either, but think its still a useful
rule because it can't cost a lot to run and, in the past anyway, Yahoo
has been quite a common spam vector.


Martin

Re: Yahoo single-link spam common elements

[Kevin A. McGrail]

On 3/1/2013 12:43 PM, David F. Skoll wrote:

These are the common elements as far as I can see in the text/plain part
of the spam:

1) The URL always matches this regex:

http://\S+/\S+\.\s+\?

In other words, there's always a dot in the URL (not counting the dots
in the domain name itself) and a question mark.

2) The URL is then followed by possible whitespace and the name or address
of the sender.

3) This is followed by more possible whitespace and then the date and
time in a format that matches this regex:

   \d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2} [AP]M

Can others confirm this pattern?
I can confirm this is ONE of the patterns we've seen but we have seen 
other variations.


For example, here's one from yesterday that you'll note forges my 
brother as the sender:


Return-Path: 
Received: from nm7.bullet.mail.gq1.yahoo.com (nm7.bullet.mail.gq1.yahoo.com 
[98.136.218.72])
by intel1.peregrinehw.com (8.14.5/8.14.5) with SMTP id r1SI2WHg008621
for ; Thu, 28 Feb 2013 13:02:33 -0500
Received: from [98.137.12.61] by nm7.bullet.mail.gq1.yahoo.com with NNFMP; 28 
Feb 2013 18:02:31 -
Received: from [208.71.42.212] by tm6.bullet.mail.gq1.yahoo.com with NNFMP; 28 
Feb 2013 18:02:31 -
Received: from [127.0.0.1] by smtp223.mail.gq1.yahoo.com with NNFMP; 28 Feb 
2013 18:02:31 -
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; 
t=1362074551; bh=O2aFzcTOvDvCQALZoONOlZmCJiqlFu6WnhUAJG1clGI=; 
h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:From:Reply-To:Subject:Date:To;
 
b=5sIC6wpAChfKFdhlWmr4OhjWCpNoMhTdxsbWPAIXYyD3f+O4QKMatwXxL7uvHeFc5TD//q4hW0HQDVJ+f/XJq71XHuBeWLySuYceP9ZP5gMRMnAR8uM9o9rWw0vnwSd7+3H3ff1rCd2FunGswYwlNAG5yz79uYE7xe+sXw5qs3c=
X-Yahoo-Newman-Id: 533489.47072...@smtp223.mail.gq1.yahoo.com
Message-ID: <533489.47072...@smtp223.mail.gq1.yahoo.com>
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: jRlM9PUVM1m1fvPhWPzSnQEReLcFyK.eiCoVEK16XkMJTsp
 FUuOvETyd8ee4KmT2FuoE1n9krae3pEbGP2MbvtNXR6sdYnhJIxvfdiuEtob
 wr1ipSssPLDugG_B3KfoWpLJZs0YjG5TMqqVzDGih3D11pGQfAY6w.mgoOWY
 Vemeo4DqHYY8XYokWdUpIh65s1dDZlNaYvlqfF1MZudo2pV6wlPm_rMDWHvP
 DNawGoHaZr3qyELnp7ElYqt8BCCs0hushH3dTtn.mVpUMrTv3GzPnkMMGCvR
 O9U8mO_UIFwTMrWvkkzLcMKqdKdukq8.cPSh8VY5TRg_Xih7mDsVxksEIVcE
 OCOEMbBw9uApP4oRpc.pBlu9eDntaPpiUUPhpb9xxkQw4lcLJkx0RTt0GYD3
 uAMLNtukwnvce54PkLZl3JrIDGhvQuhKnZxYyRsne49aNjP11_3wZUo8wlvg
 guHiLuHcqkFb6lusTYz41fCHrSJ6VTYxwqlQcA0DioWPWPDZmkjLtrc2aER1
 MbKjYki6ceeLXQT21DGdb9Gui.eE43RA2Ix6qqTYRddM-
X-Yahoo-SMTP: bHYtILuswBDzs9L.FhYpFEHr7NQ0kndD9GjKbx8-
Received: from localhost (rasiel_mongado29@200.121.59.161 with login)
by smtp223.mail.gq1.yahoo.com with SMTP; 28 Feb 2013 10:02:31 -0800 PST
From: TOBY MCGRAIL 
Reply-To: TOBY MCGRAIL 
Subject: KEVIN
Date: Thu, 28 Feb 2013 10:05:47 -0800 (PST)
To: Kevin 

kevin, hey. look what I found!
http://www.deguciumd-munged.lt/answerbabykevingreen/


regards,
KAM

Re: Yahoo single link spam

[Kevin A. McGrail]

  
  
I saw 3 yesterday, yes.  Scored 6.4 but
  I use a high threshold so I can view the fringe spam.
  
  On 3/1/2013 12:33 PM, David F. Skoll wrote:


  Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.

Regards,

David.




-- 
  Kevin A. McGrail
  President
  
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
  
http://www.pccc.com/
  
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-359-8451 (fax)
kmcgr...@pccc.com
  
  
  

  

Re: Yahoo single link spam

[Anthony Hoppe]

We don't see them as much as we used to, but they still make an appearance 
every once and a while.

~ Anthony
 
- Original Message -
From: "David F. Skoll" 
To: users@spamassassin.apache.org
Sent: Friday, March 1, 2013 9:33:55 AM
Subject: Re: Yahoo single link spam

Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.

Regards,

David.

Re: Yahoo single link spam

[David F. Skoll]

Somewhat OT... are people still seeing these Yahoo single-link spams?
They seem to have stopped abruptly as far as I can tell.

Regards,

David.

Re: Yahoo single link spam

[Martin Gregorie]

On Fri, 2013-03-01 at 15:38 +, Scott Ostrander wrote:
> Would someone put some samples of Yahoo single link spam on PasteBin.
> I am trying to test my rules and I seem to be missing some of the variations.
> 
Here's an example: it is the message I developed the following rule
against: http://pastebin.com/VRvtDfER

I've obfuscated all e-mail addresses in it and verified that my rule
catches the obfuscated version.  The rule is this:

describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo
header   __MG_YAHFS1 Message-id =~ /yahoo\.com>$/
header   __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/
meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2)
scoreMG_YAHOO_FS 50

as I said previously, the apparently excessive score is needed to
override the score that my auto-whitelister applies to sender addresses
I've previously sent mail to: so far all messages I've had of this type
have had forged senders that I've previously corresponded with.
 

Martin

RE: Yahoo single link spam

[Scott Ostrander]

Would someone put some samples of Yahoo single link spam on PasteBin.
I am trying to test my rules and I seem to be missing some of the variations.

Thanks,
Scott

-Original Message-
From: Marc Perkel [mailto:supp...@junkemailfilter.com] 
Sent: Friday, February 22, 2013 12:20 PM
To: users@spamassassin.apache.org
Subject: Yahoo single link spam

We need a rule to catch this. It looks like more data than it is but it's 
really little more than a single link. Like to see a rule that identifies it.

---262101065-1882747875-1361559395=:62570
Content-Type: text/plain; charset=us-ascii

 http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemh

Lisa Tostado, ND


---262101065-1882747875-1361559395=:62570
Content-Type: text/html; charset=us-ascii

 http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemh";>http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemhLisa
 Tostado, ND
---262101065-1882747875-1361559395=:62570--


--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: Yahoo single link spam

[Martin Gregorie]

On Thu, 2013-02-28 at 20:34 -0500, Steve Prior wrote:

> I'm really starting to suspect that these spammers are scraping your public 
> posts on Facebook and grabbing the names of people that commented on those 
> posts, then using a Yahoo account and setting that name on the account before 
> sending the spam.  The only issue is how do they find the legitimate email 
> addresses of the person to send the spam to.  I wouldn't be at all surprised 
> to 
> hear that this had something to do with a Facebook app people let have access 
> to 
> their account info.
> 
Thats not the only mechanism they're using. I don't use any social
networking sites yet I get a small amount of spam sent via Yahoo too. In
my case the forged sender has usually been presented as a member of a
mailing list I subscribe to, though the last example had got my address
via a virus or trojan on a friend's Windows box and somehow knew that he
sends sport-related multiply addressed e-mails from time to time: the
spam's subject line looked as if it was one of them and the only real
giveaway was that the single line payload pushed a Romanian site when
the genuine e-mails are exclusively about British topics.

Martin

Re: Yahoo single link spam

[Steve Prior]

On 2/23/2013 10:56 AM, Kevin A. McGrail wrote:

I am 100% certain that it is compromised accounts on yahoo where they steal the
address books. They then seem to cross correlate and use common last names to
mail people using other compromised yahoo accounts. Though I need to check if
they have started forging as well through other servers.

I have seen a lot of these examples and have specific patterns that make this
the only possibility.
Regards,
KAM



I've just confirmed that I received the single link Yahoo spam between me and 
someone else where neither of us had the other in each others Yahoo address 
book, so the only thing this had to do with Yahoo was that a third party Yahoo 
account was used to send the spam.  In fact the person who I supposedly got the 
email from was a pretty recent contact of mine and we had pretty much only 
communicated with each other via LinkedIn and Facebook.


I'm really starting to suspect that these spammers are scraping your public 
posts on Facebook and grabbing the names of people that commented on those 
posts, then using a Yahoo account and setting that name on the account before 
sending the spam.  The only issue is how do they find the legitimate email 
addresses of the person to send the spam to.  I wouldn't be at all surprised to 
hear that this had something to do with a Facebook app people let have access to 
their account info.


Steve

Re: Yahoo single link spam

[David F. Skoll]

Hello,

I've discovered something... all of our samples of the Yahoo spam contain
a text/plain part that contains something like this:

http://www.majormedicaladvice.com/gfrqcov/ktr.2dd0ifqv?kj82bw2/25/2013 2:58:33 
PMKaryn Armstrong

That is, the target URL is immediately followed by the date, a space,
the time, "AM" or "PM" and then the fake sender's name with (no space
between AM/PM and the name.)

I'm guessing an SA rule like this:

body YAHOO_SINGLELINE /http:\/\/\S{1,90}\d{1,2}\/\d{1,2}\/\d{4} 
\d{1,2}:\d{1,2}:\d{1,2} [AP]M/

might work.  Untested, though...

Regards,

David.

Re: Yahoo single link spam

[David F. Skoll]

On Sun, 24 Feb 2013 18:35:04 +0100
Benny Pedersen  wrote:

> David could you make this as a clamav logical signature ?, and test
> it ?

I don't know how to do that... sorry.

Regards,

David.

Re: Yahoo single link spam

[Kevin A. McGrail]

On 2/23/2013 10:56 AM, Kevin A. McGrail wrote:
Though I need to check if they have started forging as well through 
other servers.


Just following up on this and checking the Yahoo! spam that I've been 
researching, all of it is sent by Yahoo! accounts through Yahoo! with 
real DKIM signatures.


Regards,
KAM

Re: Yahoo single link spam

[Benny Pedersen]

Axb skrev den 2013-02-24 19:02:


I obviosuly didn't understand you , nor do I understand you now
doesn't matter...


now you understand why you are developper and i am not ? :=)))

i rember some that sayed it :(

Re: Yahoo single link spam

[Axb]

On 02/24/2013 06:48 PM, Benny Pedersen wrote:

Axb skrev den 2013-02-24 18:35:


http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com

is there a possible to implement it ?

imho surbl using it, but it would be nice to have it live tested


What you're seeing is other way round - mywot uses SURBL

If you'd check mail traffic against mywot, you'd DOS them in no time.
(but you're welcome to write a plugin and see what happens)


no plugins is needed, its fast to add it to uribl_skip, and make a local
rule to catch this spaming domain localy, while its not green on mywot

its free to make it better :)


I obviosuly didn't understand you , nor do I understand you now
doesn't matter...

Re: Yahoo single link spam

[Benny Pedersen]

Axb skrev den 2013-02-24 18:35:


http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com

is there a possible to implement it ?

imho surbl using it, but it would be nice to have it live tested


What you're seeing is other way round - mywot uses SURBL

If you'd check mail traffic against mywot, you'd DOS them in no time.
(but you're welcome to write a plugin and see what happens)


no plugins is needed, its fast to add it to uribl_skip, and make a 
local rule to catch this spaming domain localy, while its not green on 
mywot


its free to make it better :)

Re: Yahoo single link spam

[Benny Pedersen]

Kevin A. McGrail skrev den 2013-02-22 21:56:

describeKAM_YAHOO   Compromised Yahoo! Accounts Sending 
Spam


inccorect, if thay are dkim signed its yahoo, if not its a silly 
spammer


blacklist_from (all-yahoo-domains)
def_whitelist_from all-yahoo-domains)

would be more simple

the blacklist could force bayes learn as spam ?

and the whitelist based on resulting score ?

Re: Yahoo single link spam

[Axb]

On 02/24/2013 06:29 PM, Benny Pedersen wrote:

Marc Perkel skrev den 2013-02-22 21:20:

We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.


http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com

is there a possible to implement it ?

imho surbl using it, but it would be nice to have it live tested


What you're seeing is other way round - mywot uses SURBL

If you'd check mail traffic against mywot, you'd DOS them in no time.
(but you're welcome to write a plugin and see what happens)

Re: Yahoo single link spam

[Benny Pedersen]

David F. Skoll skrev den 2013-02-22 21:27:


HeaderMatches RegExp   ^To:(.*?@.*?){5}   AND
Envelope Sender   Ends with@yahoo.com AND
MessageSize   <6000

Well, ok... the MessageSize condition is tricky.  And this rule does
kick up some false-positives, but overall it works pretty well for 
us.


David could you make this as a clamav logical signature ?, and test it 
?


if not i could try self :)

Re: Yahoo single link spam

[Benny Pedersen]

Marc Perkel skrev den 2013-02-22 21:20:

We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.


http://www.mywot.com/en/scorecard/fox-enws.com/
http://www.trustpilot.com/review/fox-enws.com

is there a possible to implement it ?

imho surbl using it, but it would be nice to have it live tested

Re: Yahoo single link spam

[Kevin A. McGrail]

I am 100% certain that it is compromised accounts on yahoo where they steal the 
address books.  They then seem to cross correlate and use common last names to 
mail people using other compromised yahoo accounts.  Though I need to check if 
they have started forging as well through other servers.  

I have seen a lot of these examples and have specific patterns that make this 
the only possibility.
Regards,
KAM

Steve Prior  wrote:

 Here's the current version I'm using based on 3.4.0 trunk:
>>> We're seeing many different variations.  For example, we see over
>>> 70 variations in the name (not just "Connor Hopkins").
>> Agreed.  That's more of an internal meta because we had one person
>really
>> getting hammered.  YMMV.
>
>I've been curious what's going on with the Yahoo spam because the from
>name 
>that's been used has been someone I know, but the actual yahoo account
>the spam 
>is sent from is not.  So it sounds like spammers are using some means
>to 
>determine the name of someone you know and then have an unrelated to
>that person 
>compromised account send the spam to you with a name you know.  I've
>even 
>wondered if social networks are involved somehow.
>
>Steve

Re: Yahoo single link spam

[Martin Gregorie]

On Fri, 2013-02-22 at 12:20 -0800, Marc Perkel wrote:
> We need a rule to catch this. It looks like more data than it is but 
> it's really little more than a single link. Like to see a rule that 
> identifies it.
> 
> ---262101065-1882747875-1361559395=:62570
> Content-Type: text/plain; charset=us-ascii
> 
>  http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemh
> 
> Lisa Tostado, ND
> 
> 
> ---262101065-1882747875-1361559395=:62570
> Content-Type: text/html; charset=us-ascii
> 
>   href="http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemh";>http://www.eisingen.de/kb/m6ods3ohyayq.r34xx5y7k8rn1ycnemhLisa
>  Tostado, ND
> ---262101065-1882747875-1361559395=:62570--
> 
> 
Unless I've had a run of anomalous Yahoo spam, I think I've spotted a
rule that can catch a lot of it. Here's a my version:

# 
# Yahoo message-ID but sender not Yahoo.
#
describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo
header   __MG_YAHFS1 Message-id =~ /yahoo\.com>$/ 
header   __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/ 
meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2)
scoreMG_YAHOO_FS 50


I've noticed that very much spam coming from Yahoo does not have a Yahoo
sender address. A significant proportion of my spam stream comes with
forged senders that pretend membership of mailing lists I'm subscribed
to and that are automatically whitelisted by my system: the high score
is there to counter this whitelisting.


Martin

Re: Yahoo single link spam

[Steve Prior]

Here's the current version I'm using based on 3.4.0 trunk:

We're seeing many different variations.  For example, we see over
70 variations in the name (not just "Connor Hopkins").

Agreed.  That's more of an internal meta because we had one person really
getting hammered.  YMMV.


I've been curious what's going on with the Yahoo spam because the from name 
that's been used has been someone I know, but the actual yahoo account the spam 
is sent from is not.  So it sounds like spammers are using some means to 
determine the name of someone you know and then have an unrelated to that person 
compromised account send the spam to you with a name you know.  I've even 
wondered if social networks are involved somehow.


Steve

Re: Yahoo single link spam

[Kevin A. McGrail]

On 2/22/2013 4:01 PM, David F. Skoll wrote:

On Fri, 22 Feb 2013 15:56:38 -0500
"Kevin A. McGrail"  wrote:


Here's the current version I'm using based on 3.4.0 trunk:

We're seeing many different variations.  For example, we see over
70 variations in the name (not just "Connor Hopkins").
Agreed.  That's more of an internal meta because we had one person 
really getting hammered.  YMMV.

Re: Yahoo single link spam

[David F. Skoll]

On Fri, 22 Feb 2013 15:56:38 -0500
"Kevin A. McGrail"  wrote:

> Here's the current version I'm using based on 3.4.0 trunk:

We're seeing many different variations.  For example, we see over
70 variations in the name (not just "Connor Hopkins").

Regards,

David.

Re: Yahoo single link spam

[The Doctor]

On Fri, Feb 22, 2013 at 03:27:27PM -0500, David F. Skoll wrote:
> On Fri, 22 Feb 2013 12:20:22 -0800
> Marc Perkel  wrote:
> 
> > We need a rule to catch this. It looks like more data than it is but 
> > it's really little more than a single link. Like to see a rule that 
> > identifies it.
> 
> Our product lets you make compound rules.  It should not be very hard
> to translate this to SpamAssassin:
> 
> HeaderMatches RegExp   ^To:(.*?@.*?){5}   AND
> Envelope Sender   Ends with@yahoo.com AND
> MessageSize   <6000
> 
> Well, ok... the MessageSize condition is tricky.  And this rule does
> kick up some false-positives, but overall it works pretty well for us.
> 
> Regards,
> 
> David.


LEt me dive in and say Yahoo! Security needs to be presents.

1 customer and one friend have been told of this
as they accoutns got hijacked.

-- 
Member - Liberal International  This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 amnd 53 on Atheism

Re: Yahoo single link spam

[Kevin A. McGrail]

On 2/22/2013 3:27 PM, David F. Skoll wrote:

On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel  wrote:


We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.

Our product lets you make compound rules.  It should not be very hard
to translate this to SpamAssassin:

HeaderMatches RegExp   ^To:(.*?@.*?){5}   AND
Envelope Sender   Ends with@yahoo.com AND
MessageSize   <6000

Well, ok... the MessageSize condition is tricky.  And this rule does
kick up some false-positives, but overall it works pretty well for us.


Here's the current version I'm using based on 3.4.0 trunk:

#YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE 
COMPROMISED ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE
header  __KAM_YAHOO1From =~ 
/\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header  __KAM_YAHOO2Subject =~ /^(FOR |Hey$|hi$|look at 
this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$)/
body__KAM_YAHOO3/\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4} 
\d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/

header  __KAM_YAHOO4From:name =~ /Connor Hopkins/i

metaKAM_YAHOO   (__KAM_YAHOO1 + __KAM_YAHOO2 + 
__KAM_YAHOO3 + __KAM_YAHOO4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT 
>= 3)

describeKAM_YAHOO   Compromised Yahoo! Accounts Sending Spam
score   KAM_YAHOO   9.0

regards,
KAM

Re: Yahoo single link spam

[David F. Skoll]

On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel  wrote:

> We need a rule to catch this. It looks like more data than it is but 
> it's really little more than a single link. Like to see a rule that 
> identifies it.

Our product lets you make compound rules.  It should not be very hard
to translate this to SpamAssassin:

HeaderMatches RegExp   ^To:(.*?@.*?){5}   AND
Envelope Sender   Ends with@yahoo.com AND
MessageSize   <6000

Well, ok... the MessageSize condition is tricky.  And this rule does
kick up some false-positives, but overall it works pretty well for us.

Regards,

David.