Re: S-P-A-M Extra long domain names rule?
On Mon, Apr 21, 2008 at 10:26:02PM -0500, Jack Pepper wrote: > I saw one of these in a phishing email. I didn't know if it was > supposed to be that way or not, but I was quite curious. Firefox > tries to connect to http://www..google.com . (click it and see) "Firefox can't find the server at www..google.com." Doesn't seem like a good tactic. > Firefox will also try to connect to http://www.*.google.com . "Firefox can't find the server at www.*.google.com." > So as I pondered it, it seemed plausible that a phisher could create a > zero-length subdomain which would evade scanning by regex processors > (like SA) because it would not parse out as a valid URL. But the > browser will still try to connect. Is this SA evasion? Seems quite > plausible. Doesn't work. I put "http://www..google.com"; in both text/plain and text/html, SA finds it and parses out "google.com". SA found "http://www.*.google.com";, domain of google.com, as a text/html href. It doesn't find it as a parsed URL. -- Randomly Selected Tagline: Zoidberg: So many memories, so many strange fluids gushing out of patients' bodies pgp9640VLETrn.pgp Description: PGP signature
Re: S-P-A-M Extra long domain names rule?
Quoting Karsten Bräckelmann <[EMAIL PROTECTED]>: > > describe SILLYDOTSDOMAINURI Includes a multiple dots domain name > body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ Have you ever seen these? Would it work, does any MUA or browser silently collapse multiple dots? I saw one of these in a phishing email. I didn't know if it was supposed to be that way or not, but I was quite curious. Firefox tries to connect to http://www..google.com . (click it and see) Firefox will also try to connect to http://www.*.google.com . On the blackhole DNS discussion boards, there were users reporting seeing wildcard (*) DNS entries in phishing emails. Additionally, Yahoo and Flash both use wildcard DNS entries in their generated URLs. Is this SA evasion? So as I pondered it, it seemed plausible that a phisher could create a zero-length subdomain which would evade scanning by regex processors (like SA) because it would not parse out as a valid URL. But the browser will still try to connect. Is this SA evasion? Seems quite plausible. Next up: a SA rule to detect "http://"; followed by an invalid URL! jp -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
On Mon, 2008-04-21 at 19:35 -0400, Theo Van Dinter wrote:
> I haven't run any real statistics about this, but it's worth realizing
> that unless there's a significant number of spams that have this behavior,
> a rule probably costs more in resource use than it provides in hits.
Yeah. I didn't say anything about this being useful or not. Merely
pointing out issues with the already posted rules.
FWIW, I explicitly mentioned the rule to be untested, because I am not
running it. I can't recall ever having seen something like this in low
scoring spam. I occasionally do see 5 levels in *phishing* mail, which
gets caught without SA even touching 'em.
guenther
> A quick:
>
> pcregrep -ri 'http://(?:[^/.]+\.){7}'
>
> in my corpus shows about 20 spam hits in some 245000 mails. There could be
> reasons this RE wouldn't hit, but in general I wouldn't bother.
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: S-P-A-M Extra long domain names rule?
I haven't run any real statistics about this, but it's worth realizing
that unless there's a significant number of spams that have this behavior,
a rule probably costs more in resource use than it provides in hits.
A quick:
pcregrep -ri 'http://(?:[^/.]+\.){7}'
in my corpus shows about 20 spam hits in some 245000 mails. There could be
reasons this RE wouldn't hit, but in general I wouldn't bother.
On Tue, Apr 22, 2008 at 01:24:37AM +0200, Karsten Bräckelmann wrote:
> On Mon, 2008-04-21 at 22:16 +0200, mouss wrote:
> > untested yet:
>
> > uri URI_DEEP5 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
> > score URI_DEEP5 0.1
> >
> > uri URI_DEEP6 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
> > score URI_DEEP6 1.0
> >
> > uri URI_DEEP7
> > m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
> > score URI_DEEP7 2.0
>
> Beware, those are adding up. Since you didn't anchor the end of the RE
> to ($|/), whatever hits URI_DEEP7 hits the previous ones, too. Effective
> score: 3.1
>
> They don't work anyway. ;) You are testing for single chars between the
> dots. And the '-' should be first in a char class, if it is to represent
> itself. Also, I'd prefer to keep them cleaner and more readable using
> quantifiers, rather than copying parts 7 times...
>
> uri URI_DEEP7 m,https?://([-\w]+\.){6},
>
> The above forces 6 dots, and thus "7 levels". Hits on even longer URIs,
> too -- the same constraint of adding scores applies here.
>
> Oh, and yes -- this one is untested, too. :)
>
> guenther
>
>
> --
> char *t="[EMAIL PROTECTED]";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
--
Randomly Selected Tagline:
Hear Me, California! Tomorrow you vote. Again. Good luck, and I hope
you get the Governor you deserve. I think it was Adlai Stevenson who said
that there's nothing more inspiring in human society than the spectacle
of the democratic process being bizarrely subverted by a well-funded
partisan exploitation of a constitutional loophole. How true that is.
- Adam Felber, http://www.felbers.net/mt/archives/001654.html
pgpQh6HVqwpc5.pgp
Description: PGP signature
Re: S-P-A-M Extra long domain names rule?
On Tue, 2008-04-22 at 01:29 +0200, Karsten Bräckelmann wrote:
> On Mon, 2008-04-21 at 14:59 -0500, Jack Pepper wrote:
> > Maybe try these:
> >
> > describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
> > uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
> > score SILLYLONGDOMAINURI 1.8
> >
> > describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
> > body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
>
> The latter won't hit on correct URIs. The first part in parenthesis ends
> with a dot -- followed by a dot.
Oops. Upon re-reading the "silly" in the rule name and the "multiple
dots" in the description, this might actually have been intentional. :)
Have you ever seen these? Would it work, does any MUA or browser
silently collapse multiple dots?
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: S-P-A-M Extra long domain names rule?
On Mon, 2008-04-21 at 14:59 -0500, Jack Pepper wrote:
> Maybe try these:
>
> describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
> uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
> score SILLYLONGDOMAINURI 1.8
>
> describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
> body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
The latter won't hit on correct URIs. The first part in parenthesis ends
with a dot -- followed by a dot.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: S-P-A-M Extra long domain names rule?
On Mon, 2008-04-21 at 22:16 +0200, mouss wrote:
> untested yet:
> uri URI_DEEP5 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
> score URI_DEEP5 0.1
>
> uri URI_DEEP6 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
> score URI_DEEP6 1.0
>
> uri URI_DEEP7
> m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
> score URI_DEEP7 2.0
Beware, those are adding up. Since you didn't anchor the end of the RE
to ($|/), whatever hits URI_DEEP7 hits the previous ones, too. Effective
score: 3.1
They don't work anyway. ;) You are testing for single chars between the
dots. And the '-' should be first in a char class, if it is to represent
itself. Also, I'd prefer to keep them cleaner and more readable using
quantifiers, rather than copying parts 7 times...
uri URI_DEEP7 m,https?://([-\w]+\.){6},
The above forces 6 dots, and thus "7 levels". Hits on even longer URIs,
too -- the same constraint of adding scores applies here.
Oh, and yes -- this one is untested, too. :)
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: S-P-A-M Extra long domain names rule?
Quoting John Hardin <[EMAIL PROTECTED]>: Plus, you probably meant /^https? right you are, sir. thx -- Framework? I don't need no steenking framework! @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
Bookworm wrote:
I'm starting to see some new phishing/scam attempts.
What I was thinking was that it might be worthwhile to add a rule to
not so much check links, but count periods.
Here's the example that just came in my email -
(removing http:// ) -
connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm
it doesn't resolve from here at this time, so I wonder what's the goal...
untested yet:
uri URI_LONGISH m|https?://[\w\.-]{65}|
score URI_LONGISH 3.0
uri URI_GRDNSX m|https?://[^/]*[x\d]{7}|
score URI_GRDNSX 1.5
uri URI_LONGLABEL m|http?://[^/]*\w{16}|
score URI_LONGLABEL0.5
uri URI_DEEP5 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
score URI_DEEP5 0.1
uri URI_DEEP6 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
score URI_DEEP6 1.0
uri URI_DEEP7
m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
score URI_DEEP7 2.0
Notice that there are ten periods. That makes it be an eleventh level
domain name? :)
In general, you see fewer than four periods in a domain name - but
I've seen this sort of behavior in spams before.
Thoughts?
(I'm just a general administrator. I use other people's rules, I
haven't had time to learn to make my own)
BW
Re: S-P-A-M Extra long domain names rule?
On Mon, 21 Apr 2008, Jack Pepper wrote: OOpsie - typo: "body" should have been "uri" in the second one. describe SILLYDOTSDOMAINURI Includes a multiple dots domain name uri SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./ score SILLYDOTSDOMAINURI 1.8 Plus, you probably meant /^https? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Vista is at best mildly annoying and at worst makes you want to rush to Redmond, Wash. and rip somebody's liver out. -- Forbes --- 34 days until the Mars Phoenix lander arrives at Mars
Re: S-P-A-M Extra long domain names rule?
On Mon, April 21, 2008 21:59, Jack Pepper wrote:
> Maybe try these:
> describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
> uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
> score SILLYLONGDOMAINURI 1.8
>
> describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
> body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
> score SILLYDOTSDOMAINURI 1.8
X-Spam-Status: No, score=-1.224 tagged_above=-20 required=5
tests=[ADJ_URIBL_BLACK=-1, ADJ_URIBL_JP_SURBL=-1, AWL=-1.361,
GAPPY_SUBJECT=2.001, MAILLISTS=-2.5, MIME_QP_LONG_LINE=1.819,
RCVD_IN_DNSWL_MED=-4, SPF_PASS=-0.001, URIBL_BLACK=1.961,
URIBL_JP_SURBL=2.857]
so surbl and uribl now hit that domain
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: S-P-A-M Extra long domain names rule?
OOpsie - typo:
"body" should have been "uri" in the second one.
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
uri SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
score SILLYDOTSDOMAINURI 1.8
jp
Quoting Jack Pepper <[EMAIL PROTECTED]>:
Maybe try these:
describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
score SILLYLONGDOMAINURI 1.8
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
score SILLYDOTSDOMAINURI 1.8
jp
Quoting Bookworm <[EMAIL PROTECTED]>:
I'm starting to see some new phishing/scam attempts.
What I was thinking was that it might be worthwhile to add a rule
to not so much check links, but count periods. Here's the example
that just came in my email -
(removing http:// ) -
connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm
Notice that there are ten periods. That makes it be an eleventh
level domain name? :)
In general, you see fewer than four periods in a domain name - but
I've seen this sort of behavior in spams before. Thoughts?
(I'm just a general administrator. I use other people's rules, I
haven't had time to learn to make my own)
BW
--
Framework? I don't need no steenking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
--
Framework? I don't need no steenking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
Maybe try these:
describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
score SILLYLONGDOMAINURI 1.8
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
score SILLYDOTSDOMAINURI 1.8
jp
Quoting Bookworm <[EMAIL PROTECTED]>:
I'm starting to see some new phishing/scam attempts.
What I was thinking was that it might be worthwhile to add a rule to
not so much check links, but count periods. Here's the example that
just came in my email -
(removing http:// ) -
connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm
Notice that there are ten periods. That makes it be an eleventh
level domain name? :)
In general, you see fewer than four periods in a domain name - but
I've seen this sort of behavior in spams before. Thoughts?
(I'm just a general administrator. I use other people's rules, I
haven't had time to learn to make my own)
BW
--
Framework? I don't need no steenking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
Re: S-P-A-M Extra long domain names rule?
On Mon, April 21, 2008 19:59, Randy Ramsdell wrote: > I haven't, but I think a rule for this would be a good idea. I always > write rules then check them every so often with a custom perl script. body LOGIN_RULE /\.com\/logon\./i score LOGIN_RULE 0.1 describe LOGIN_RULE apache does not use that as default index file a start :) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: S-P-A-M Extra long domain names rule?
On Mon, April 21, 2008 19:51, Bookworm wrote: > Notice that there are ten periods. That makes it be an eleventh level > domain name? :) the uri is just a domain with long tracking subdomain, its still a domain see 20_uri_tests.cf for example on make your own rules against it :-) > Thoughts? http://uribl.com/ Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: S-P-A-M Extra long domain names rule?
Bookworm wrote: I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. Here's the example that just came in my email - (removing http:// ) - connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm Notice that there are ten periods. That makes it be an eleventh level domain name? :) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW I haven't, but I think a rule for this would be a good idea. I always write rules then check them every so often with a custom perl script.
S-P-A-M Extra long domain names rule?
I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. Here's the example that just came in my email - (removing http:// ) - connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm Notice that there are ten periods. That makes it be an eleventh level domain name? :) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW
