Re: The googolbees are getting craftier
On Mon, 21 Jan 2008, John D. Hardin wrote: m,https?://(?:[^\./]+\.)*goo+gle(?:pages)?\.(?:[a-z][a-z][a-z]?(?:\.[a-z][a-z])?)/+.*[?](?:btni|adurl),i If I understand that pattern, both the '*' are 'unbounded'??? This might 'break' your spamfilter, if spamassassin gobbles up all memory during analysis. Better replace any unbounded '*' by reasonable length {0,N}, with N a little more than the seen strings. Stucki -- Christoph von Stuckrad * * |nickname |[EMAIL PROTECTED] \ Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459| Mathematik Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 6600| Takustr. 9 / 14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75 454/
Re: The googolbees are getting craftier
On Tue, 2008-01-22 at 13:01 +0100, Chr. v. Stuckrad wrote: On Mon, 21 Jan 2008, John D. Hardin wrote: m,https?://(?:[^\./]+\.)*goo+gle(?:pages)?\.(?:[a-z][a-z][a-z]?(?:\.[a-z][a-z])?)/+.*[?](?:btni|adurl),i If I understand that pattern, both the '*' are 'unbounded'??? This might 'break' your spamfilter, if spamassassin gobbles up all memory during analysis. Better replace any unbounded '*' by reasonable length {0,N}, with N a little more than the seen strings. You've snipped the beginning of the rule definition. It's an uri rule, and thus the RE will be matched against identified URIs of the mail body only -- which by itself usually is rather bounded. :) guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: The googolbees are getting craftier
On Tue, 22 Jan 2008, Chr. v. Stuckrad wrote: On Mon, 21 Jan 2008, John D. Hardin wrote: m,https?://(?:[^\./]+\.)*goo+gle(?:pages)?\.(?:[a-z][a-z][a-z]?(?:\.[a-z][a-z])?)/+.*[?](?:btni|adurl),i If I understand that pattern, both the '*' are 'unbounded'??? This might 'break' your spamfilter, if spamassassin gobbles up all memory during analysis. Better replace any unbounded '*' by reasonable length {0,N}, with N a little more than the seen strings. You're correct, but consider: it's unbounded *within the URI*. If this was a body or rawbody rule I would *definitely* have bounded them. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- To prevent conflict and violence from undermining development, effective disarmament programmes are vital... -- the UN, who doesn't want to confiscate guns --- 5 days until the 41st anniversary of the loss of Apollo 1
Re: The googolbees are getting craftier
Whoops! Just noticed I didn't send this to the list after all... On Fri, 18 Jan 2008, John D. Hardin wrote: On Fri, 18 Jan 2008, Loren Wilton wrote: I guess btnl is no longer working. Now they are doing a redirect: http://google.co.uk///pagead/iclk?sa=lai=livermorenum=970adurl=http://christmas-low-rate.tw?beast Combined rule: uri GOOG_MALWARE_URI m,https?://(?:[^\./]+\.)*goo+gle(?:pages)?\.(?:[a-z][a-z][a-z]?(?:\.[a-z][a-z])?)/+.*[?](?:btni|adurl),i -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Vista security improvements consist of attempting to shift blame onto the user when things go wrong. --- Today: John Moses Browning's 153rd Birthday
The googolbees are getting craftier
I guess btnl is no longer working. Now they are doing a redirect: http://google.co.uk///pagead/iclk?sa=lai=livermorenum=970adurl=http://christmas-low-rate.tw?beast Loren
Re: The googolbees are getting craftier
Quoting Justin Mason [EMAIL PROTECTED]: the redirect detection should have no problem finding that... And the redirected-to domain is on two SURBL blacklists, so it should be hitting. Jeff C. Loren Wilton writes: I guess btnl is no longer working. Now they are doing a redirect: http://google.co.uk///pagead/iclk?sa=lai=livermorenum=970adurl=http://-low-rate.tw?beast Loren
Re: The googolbees are getting craftier
the redirect detection should have no problem finding that... Loren Wilton writes: I guess btnl is no longer working. Now they are doing a redirect: http://google.co.uk///pagead/iclk?sa=lai=livermorenum=970adurl=http://-low-rate.tw?beast Loren