Re: yet another uribl evasion example
On Mon, 13 Jun 2005, Theo Van Dinter uttered the following: > On Mon, Jun 13, 2005 at 09:42:35PM +0200, wolfgang wrote: >> - 3.0.4 appears to bring new challenges (Net::DNS version and such) > > 3.0.4 should be a drop-in replacement for earlier versions. People seem > to be having issues if they also upgrade Net::DNS, but there's no > requirement to do so. This doesn't seem to be invariably true: I've upgraded Net::DNS to 1.51 on this box (Perl 5.8.5, Linux 2.6.11) and had no problems whatsoever. Passing strange... -- `It's as bizarre an intrusion as, I don't know, the hobbits coming home to find that the Shire has been taken over by gangsta rappers.'
Re: yet another uribl evasion example
> would it be reasonable to add a rule to check for anomalies in URLs? > what's the best (TM) way? SARE, at least at the moment. Loren
Re: yet another uribl evasion example
Hello mouss, Monday, June 13, 2005, 8:15:27 AM, you wrote: m> I just got the spam below (headers removed except few). m> would it be reasonable to add a rule to check for anomalies in URLs? m> what's the best (TM) way? 1) As has been suggested, upgrade. 2) Grab the SARE header rules file, which has rules for various types of header obfuscation. Note that those with 3.0.4 and the new header file get some double-hits. We'll be running a new overlap analysis soon to get rid of the duplicates. Bob Menschel
Re: yet another uribl evasion example
Theo Van Dinter wrote: On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote: however, it doesn't trigger surbl checks, since the '&' is considered as the end of the url. What version are you running? This was fixed in 3.0.4. thanks for the reply. I am running 3.0.3. time to upgrade... (not in a hurry though, very few spams get through...) now, I am still thinking about the forged helo part. Is this fixed? and if not, is there a way to "fix" it (without getting FPs)?
Re: yet another uribl evasion example
- Original Message - From: "Michele Neylon:: Blacknight" <[EMAIL PROTECTED]> > Niek wrote: > > Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50, > > you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51. > > Upgrading is not needed for sa 3.0.4 afaik. > > > > Niek Baakman > > > 0.51 gives me the same problems :) I just started following this thread, so I not quite sure what the issue is with SA 3.0.4 and Net::DNS 0.51. I have been running both these since Saturday, and all appears to be working fine here. Bill
Re: yet another uribl evasion example
Niek wrote: > Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50, > you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51. > Upgrading is not needed for sa 3.0.4 afaik. > > Niek Baakman > 0.51 gives me the same problems :)
Re: yet another uribl evasion example
On Mon, Jun 13, 2005 at 09:42:35PM +0200, wolfgang wrote: > - 3.0.4 appears to bring new challenges (Net::DNS version and such) 3.0.4 should be a drop-in replacement for earlier versions. People seem to be having issues if they also upgrade Net::DNS, but there's no requirement to do so. 3.0.4 fixes many bugs, some pretty important, so it's highly recommended to update. -- Randomly Generated Tagline: I'm practicing assertiveness. Do you think that's okay? pgpO4c0Apsuhv.pgp Description: PGP signature
Re: yet another uribl evasion example
On 6/13/2005 9:42 PM +0200, wolfgang wrote: - 3.0.4 appears to bring new challenges (Net::DNS version and such) Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50, you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51. Upgrading is not needed for sa 3.0.4 afaik. Niek Baakman
Re: yet another uribl evasion example
In an older episode (Monday 13 June 2005 21:20), Raymond Dijkxhoorn wrote: > Any reason not wanting to upgrade to 3.0.4 ? yes. - our spamchecker machines' distributor is slow with upgrades while i can patch existing 3.0.2 code on them. - 3.0.4 appears to bring new challenges (Net::DNS version and such)
Re: yet another uribl evasion example
Hi! On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote: however, it doesn't trigger surbl checks, since the '&' is considered as the end of the url. What version are you running? This was fixed in 3.0.4. can the fix be applied to 3.0.3? Any reason not wanting to upgrade to 3.0.4 ? Bye, Raymond.
Re: yet another uribl evasion example
In an older episode (Monday 13 June 2005 18:10), Theo Van Dinter wrote: > On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote: > > however, it doesn't trigger surbl checks, since the '&' is considered > > as the end of the url. > > What version are you running? This was fixed in 3.0.4. can the fix be applied to 3.0.3? cheers, wolfgang
Re: yet another uribl evasion example
On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote: > however, it doesn't trigger surbl checks, since the '&' is considered > as the end of the url. What version are you running? This was fixed in 3.0.4. -- Randomly Generated Tagline: Farfignewton.. the cookie of the stars.. pgpsZrzZT49iY.pgp Description: PGP signature
