Re: S-P-A-M Extra long domain names rule?
On Mon, Apr 21, 2008 at 10:26:02PM -0500, Jack Pepper wrote: > I saw one of these in a phishing email. I didn't know if it was > supposed to be that way or not, but I was quite curious. Firefox > tries to connect to http://www..google.com . (click it and see) "Firefox can't find the server at www..google.com." Doesn't seem like a good tactic. > Firefox will also try to connect to http://www.*.google.com . "Firefox can't find the server at www.*.google.com." > So as I pondered it, it seemed plausible that a phisher could create a > zero-length subdomain which would evade scanning by regex processors > (like SA) because it would not parse out as a valid URL. But the > browser will still try to connect. Is this SA evasion? Seems quite > plausible. Doesn't work. I put "http://www..google.com"; in both text/plain and text/html, SA finds it and parses out "google.com". SA found "http://www.*.google.com";, domain of google.com, as a text/html href. It doesn't find it as a parsed URL. -- Randomly Selected Tagline: Zoidberg: So many memories, so many strange fluids gushing out of patients' bodies pgp9640VLETrn.pgp Description: PGP signature
Re: S-P-A-M Extra long domain names rule?
Quoting Karsten Bräckelmann <[EMAIL PROTECTED]>: > > describe SILLYDOTSDOMAINURI Includes a multiple dots domain name > body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ Have you ever seen these? Would it work, does any MUA or browser silently collapse multiple dots? I saw one of these in a phishing email. I didn't know if it was supposed to be that way or not, but I was quite curious. Firefox tries to connect to http://www..google.com . (click it and see) Firefox will also try to connect to http://www.*.google.com . On the blackhole DNS discussion boards, there were users reporting seeing wildcard (*) DNS entries in phishing emails. Additionally, Yahoo and Flash both use wildcard DNS entries in their generated URLs. Is this SA evasion? So as I pondered it, it seemed plausible that a phisher could create a zero-length subdomain which would evade scanning by regex processors (like SA) because it would not parse out as a valid URL. But the browser will still try to connect. Is this SA evasion? Seems quite plausible. Next up: a SA rule to detect "http://"; followed by an invalid URL! jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
On Mon, 2008-04-21 at 19:35 -0400, Theo Van Dinter wrote: > I haven't run any real statistics about this, but it's worth realizing > that unless there's a significant number of spams that have this behavior, > a rule probably costs more in resource use than it provides in hits. Yeah. I didn't say anything about this being useful or not. Merely pointing out issues with the already posted rules. FWIW, I explicitly mentioned the rule to be untested, because I am not running it. I can't recall ever having seen something like this in low scoring spam. I occasionally do see 5 levels in *phishing* mail, which gets caught without SA even touching 'em. guenther > A quick: > > pcregrep -ri 'http://(?:[^/.]+\.){7}' > > in my corpus shows about 20 spam hits in some 245000 mails. There could be > reasons this RE wouldn't hit, but in general I wouldn't bother. -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: S-P-A-M Extra long domain names rule?
I haven't run any real statistics about this, but it's worth realizing that unless there's a significant number of spams that have this behavior, a rule probably costs more in resource use than it provides in hits. A quick: pcregrep -ri 'http://(?:[^/.]+\.){7}' in my corpus shows about 20 spam hits in some 245000 mails. There could be reasons this RE wouldn't hit, but in general I wouldn't bother. On Tue, Apr 22, 2008 at 01:24:37AM +0200, Karsten Bräckelmann wrote: > On Mon, 2008-04-21 at 22:16 +0200, mouss wrote: > > untested yet: > > > uri URI_DEEP5 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.| > > score URI_DEEP5 0.1 > > > > uri URI_DEEP6 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.| > > score URI_DEEP6 1.0 > > > > uri URI_DEEP7 > > m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.| > > score URI_DEEP7 2.0 > > Beware, those are adding up. Since you didn't anchor the end of the RE > to ($|/), whatever hits URI_DEEP7 hits the previous ones, too. Effective > score: 3.1 > > They don't work anyway. ;) You are testing for single chars between the > dots. And the '-' should be first in a char class, if it is to represent > itself. Also, I'd prefer to keep them cleaner and more readable using > quantifiers, rather than copying parts 7 times... > > uri URI_DEEP7 m,https?://([-\w]+\.){6}, > > The above forces 6 dots, and thus "7 levels". Hits on even longer URIs, > too -- the same constraint of adding scores applies here. > > Oh, and yes -- this one is untested, too. :) > > guenther > > > -- > char *t="[EMAIL PROTECTED]"; > main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} -- Randomly Selected Tagline: Hear Me, California! Tomorrow you vote. Again. Good luck, and I hope you get the Governor you deserve. I think it was Adlai Stevenson who said that there's nothing more inspiring in human society than the spectacle of the democratic process being bizarrely subverted by a well-funded partisan exploitation of a constitutional loophole. How true that is. - Adam Felber, http://www.felbers.net/mt/archives/001654.html pgpQh6HVqwpc5.pgp Description: PGP signature
Re: S-P-A-M Extra long domain names rule?
On Tue, 2008-04-22 at 01:29 +0200, Karsten Bräckelmann wrote: > On Mon, 2008-04-21 at 14:59 -0500, Jack Pepper wrote: > > Maybe try these: > > > > describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels > > uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/ > > score SILLYLONGDOMAINURI 1.8 > > > > describe SILLYDOTSDOMAINURI Includes a multiple dots domain name > > body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ > > The latter won't hit on correct URIs. The first part in parenthesis ends > with a dot -- followed by a dot. Oops. Upon re-reading the "silly" in the rule name and the "multiple dots" in the description, this might actually have been intentional. :) Have you ever seen these? Would it work, does any MUA or browser silently collapse multiple dots? guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: S-P-A-M Extra long domain names rule?
On Mon, 2008-04-21 at 14:59 -0500, Jack Pepper wrote: > Maybe try these: > > describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels > uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/ > score SILLYLONGDOMAINURI 1.8 > > describe SILLYDOTSDOMAINURI Includes a multiple dots domain name > body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ The latter won't hit on correct URIs. The first part in parenthesis ends with a dot -- followed by a dot. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: S-P-A-M Extra long domain names rule?
On Mon, 2008-04-21 at 22:16 +0200, mouss wrote: > untested yet: > uri URI_DEEP5 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.| > score URI_DEEP5 0.1 > > uri URI_DEEP6 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.| > score URI_DEEP6 1.0 > > uri URI_DEEP7 > m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.| > score URI_DEEP7 2.0 Beware, those are adding up. Since you didn't anchor the end of the RE to ($|/), whatever hits URI_DEEP7 hits the previous ones, too. Effective score: 3.1 They don't work anyway. ;) You are testing for single chars between the dots. And the '-' should be first in a char class, if it is to represent itself. Also, I'd prefer to keep them cleaner and more readable using quantifiers, rather than copying parts 7 times... uri URI_DEEP7 m,https?://([-\w]+\.){6}, The above forces 6 dots, and thus "7 levels". Hits on even longer URIs, too -- the same constraint of adding scores applies here. Oh, and yes -- this one is untested, too. :) guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: S-P-A-M Extra long domain names rule?
Quoting John Hardin <[EMAIL PROTECTED]>: Plus, you probably meant /^https? right you are, sir. thx -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
Bookworm wrote: I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. Here's the example that just came in my email - (removing http:// ) - connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm it doesn't resolve from here at this time, so I wonder what's the goal... untested yet: uri URI_LONGISH m|https?://[\w\.-]{65}| score URI_LONGISH 3.0 uri URI_GRDNSX m|https?://[^/]*[x\d]{7}| score URI_GRDNSX 1.5 uri URI_LONGLABEL m|http?://[^/]*\w{16}| score URI_LONGLABEL0.5 uri URI_DEEP5 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.| score URI_DEEP5 0.1 uri URI_DEEP6 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.| score URI_DEEP6 1.0 uri URI_DEEP7 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.| score URI_DEEP7 2.0 Notice that there are ten periods. That makes it be an eleventh level domain name? :) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW
Re: S-P-A-M Extra long domain names rule?
On Mon, 21 Apr 2008, Jack Pepper wrote: OOpsie - typo: "body" should have been "uri" in the second one. describe SILLYDOTSDOMAINURI Includes a multiple dots domain name uri SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ score SILLYDOTSDOMAINURI 1.8 Plus, you probably meant /^https? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Vista is at best mildly annoying and at worst makes you want to rush to Redmond, Wash. and rip somebody's liver out. -- Forbes --- 34 days until the Mars Phoenix lander arrives at Mars
Re: S-P-A-M Extra long domain names rule?
On Mon, April 21, 2008 21:59, Jack Pepper wrote: > Maybe try these: > describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels > uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/ > score SILLYLONGDOMAINURI 1.8 > > describe SILLYDOTSDOMAINURI Includes a multiple dots domain name > body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ > score SILLYDOTSDOMAINURI 1.8 X-Spam-Status: No, score=-1.224 tagged_above=-20 required=5 tests=[ADJ_URIBL_BLACK=-1, ADJ_URIBL_JP_SURBL=-1, AWL=-1.361, GAPPY_SUBJECT=2.001, MAILLISTS=-2.5, MIME_QP_LONG_LINE=1.819, RCVD_IN_DNSWL_MED=-4, SPF_PASS=-0.001, URIBL_BLACK=1.961, URIBL_JP_SURBL=2.857] so surbl and uribl now hit that domain Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: S-P-A-M Extra long domain names rule?
OOpsie - typo: "body" should have been "uri" in the second one. describe SILLYDOTSDOMAINURI Includes a multiple dots domain name uri SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ score SILLYDOTSDOMAINURI 1.8 jp Quoting Jack Pepper <[EMAIL PROTECTED]>: Maybe try these: describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/ score SILLYLONGDOMAINURI 1.8 describe SILLYDOTSDOMAINURI Includes a multiple dots domain name body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ score SILLYDOTSDOMAINURI 1.8 jp Quoting Bookworm <[EMAIL PROTECTED]>: I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. Here's the example that just came in my email - (removing http:// ) - connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm Notice that there are ten periods. That makes it be an eleventh level domain name? :) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
Maybe try these: describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/ score SILLYLONGDOMAINURI 1.8 describe SILLYDOTSDOMAINURI Includes a multiple dots domain name body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ score SILLYDOTSDOMAINURI 1.8 jp Quoting Bookworm <[EMAIL PROTECTED]>: I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. Here's the example that just came in my email - (removing http:// ) - connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm Notice that there are ten periods. That makes it be an eleventh level domain name? :) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
On Mon, April 21, 2008 19:59, Randy Ramsdell wrote: > I haven't, but I think a rule for this would be a good idea. I always > write rules then check them every so often with a custom perl script. body LOGIN_RULE /\.com\/logon\./i score LOGIN_RULE 0.1 describe LOGIN_RULE apache does not use that as default index file a start :) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: S-P-A-M Extra long domain names rule?
On Mon, April 21, 2008 19:51, Bookworm wrote: > Notice that there are ten periods. That makes it be an eleventh level > domain name? :) the uri is just a domain with long tracking subdomain, its still a domain see 20_uri_tests.cf for example on make your own rules against it :-) > Thoughts? http://uribl.com/ Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: S-P-A-M Extra long domain names rule?
Bookworm wrote: I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. Here's the example that just came in my email - (removing http:// ) - connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm Notice that there are ten periods. That makes it be an eleventh level domain name? :) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW I haven't, but I think a rule for this would be a good idea. I always write rules then check them every so often with a custom perl script.
S-P-A-M Extra long domain names rule?
I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. Here's the example that just came in my email - (removing http:// ) - connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm Notice that there are ten periods. That makes it be an eleventh level domain name? :) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW