-Original Message-
From: jdow [mailto:j...@earthlink.net]
{^_-} (Some of the ninjas are burned out. I have one such to my
back when we're both in the room beating away at our CPUs.)
+1 burnout. Too many things going on. Will eventually get my 232nd wind and
be back in
From: Warren Togami wtog...@redhat.com
Sent: Wednesday, 2009/September/30 21:40
uri T_CN_URL /[^\/]+\.cn(?:$|\/|\?)/i
describe T_CN_URL Contains a URL in the .cn domain
uri T_CN_8_URL /[\/.]+\w{8}\.cn(?:$|\/|\?)/i
describe T_CN_8_URL Contains a URL in the .cn domain of exactly 8
On 10/11/2009 02:07 AM, jdow wrote:
I have to admire one thing about spammers. They respond very rapidly to
threats to their ability to break through spam protection software. You
became curious and mentioned this on the date above. Spammers are already
using 7 character names.cn.
{^_-}
Yes,
Hi!
7263 T_CN_URL hits in 15517 spam corpus
7200 T_CN_8_URL hits in 15517 spam corpus
Does this make any sense? This is funny. Could someone add this rule to
the sandbox? I'm just curious.
I have to admire one thing about spammers. They respond very rapidly to
threats to their ability
From: Raymond Dijkxhoorn raym...@prolocation.net
Sent: Sunday, 2009/October/11 02:48
Hi!
7263 T_CN_URL hits in 15517 spam corpus
7200 T_CN_8_URL hits in 15517 spam corpus
Does this make any sense? This is funny. Could someone add this rule
to the sandbox? I'm just curious.
I have to
Hi!
So I am quite aware of losing good rules. HOWEVER, as he found out WE
keep the old rules and add new ones and his keyhole through which he
could squeeze his spam decreased. It's still decreasing, although at a
slower rate due to the relative inactivity of the SARE ninjas.
Most Ninja's
On søn 11 okt 2009 11:48:11 CEST, Raymond Dijkxhoorn wrote
We use some rules if we talk open about it and say hey this spammer
is stupid look here, then it will take less then 12 hours and that
gap is closed and we loose a valuable trick.
yes its the way it is, spammers can also read
Hi,
We use some rules if we talk open about it and say hey this spammer is
stupid look here, then it will take less then 12 hours and that gap is
closed and we loose a valuable trick.
yes its the way it is, spammers can also read maillists and adapt there
spamming rules to get bypassed
It
From: MySQL Student mysqlstud...@gmail.com
Sent: Sunday, 2009/October/11 09:08
Hi,
We use some rules if we talk open about it and say hey this spammer is
stupid look here, then it will take less then 12 hours and that gap is
closed and we loose a valuable trick.
yes its the way it is,
On 10/04/2009 12:21 AM, John Hardin wrote:
On Sat, 3 Oct 2009, Warren Togami wrote:
On 10/03/2009 07:50 PM, Adam Katz wrote:
8 is *extremely* important in Chinese culture. When running these
tests, make sure that there is a good quantity of .cn TLD URIs in the
ham before drawing any
On Sun, 2009-10-04 at 09:59 -0400, Warren Togami wrote:
On 10/04/2009 12:21 AM, John Hardin wrote:
Right, in adding things to the sandbox it does not necessarily mean I
suggest they should become rules. I am mainly curious to see what the
results say.
Warning: autopromotion
Is
On Sun, 4 Oct 2009, Karsten Br?ckelmann wrote:
On Sun, 2009-10-04 at 09:59 -0400, Warren Togami wrote:
On 10/04/2009 12:21 AM, John Hardin wrote:
Right, in adding things to the sandbox it does not necessarily mean I
suggest they should become rules. I am mainly curious to see what the
On Thu, 1 Oct 2009, Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is not
prevalence of .cn URI's, but rather most of them appear to be exactly 8
characters long.
Are there any other .cn domain formats (like {8}.com.cn) that would be of
interest? I was
On 10/04/2009 04:07 PM, John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is not
prevalence of .cn URI's, but rather most of them appear to be exactly
8 characters long.
Are there any other .cn domain formats (like
On Sun, 4 Oct 2009, Warren Togami wrote:
On 10/04/2009 04:07 PM, John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is not
prevalence of .cn URI's, but rather most of them appear to be exactly
8 characters long.
On 10/01/2009 02:36 PM, John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is not
prevalence of .cn URI's, but rather most of them appear to be exactly
8 characters long. Could someone please commit my T_CN_8_URL rule to
the
Warren Togami wrote:
On 10/01/2009 02:36 PM, John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is not
prevalence of .cn URI's, but rather most of them appear to be exactly
8 characters long. Could someone please commit my
On Sat, 3 Oct 2009, Ned Slider wrote:
Warren Togami wrote:
On 10/01/2009 02:36 PM, John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is
not prevalence of .cn URI's, but rather most of them appear to be
On Sat, 3 Oct 2009, Warren Togami wrote:
On 10/01/2009 02:36 PM, John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is not
prevalence of .cn URI's, but rather most of them appear to be exactly
8 characters long.
On Sat, Oct 3, 2009 at 11:06, Warren Togami wtog...@redhat.com wrote:
# 8-letter .cn domain, per Warren Togami
uri CN_EIGHT m;^https?://(?:[^./]+\.)*[^./]{8}\.cn/;
describe CN_EIGHT .CN uri with eight-letter domain name
score CN_EIGHT
On 10/03/2009 05:08 PM, John Hardin wrote:
On Sat, 3 Oct 2009, Warren Togami wrote:
On 10/01/2009 02:36 PM, John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is not
prevalence of .cn URI's, but rather most of them
On Sat, 3 Oct 2009, John Rudd wrote:
On Sat, Oct 3, 2009 at 11:06, Warren Togami wtog...@redhat.com wrote:
# 8-letter .cn domain, per Warren Togami
uri CN_EIGHT m;^https?://(?:[^./]+\.)*[^./]{8}\.cn/;
describe CN_EIGHT .CN uri with eight-letter domain
On Sat, Oct 3, 2009 at 15:55, John Hardin jhar...@impsec.org wrote:
On Sat, 3 Oct 2009, John Rudd wrote:
On Sat, Oct 3, 2009 at 11:06, Warren Togami wtog...@redhat.com wrote:
# 8-letter .cn domain, per Warren Togami
uri CN_EIGHT
m;^https?://(?:[^./]+\.)*[^./]{8}\.cn/;
describe
On Sat, 3 Oct 2009, Warren Togami wrote:
Can't trust those results yet. The trailing slash bug, and John Rudd
might be correct about whitespace?
I doubt whitespace will be a problem. That would break the parser before
it even got to the rule, and while dom%20name.cn might be syntactically
Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is not
prevalence of .cn URI's, but rather most of them appear to be exactly 8
characters long. Could someone please commit my T_CN_8_URL rule to the
sandbox so we can see if that trend holds beyond my own corpa?
On 10/03/2009 07:50 PM, Adam Katz wrote:
8 is *extremely* important in Chinese culture. When running these
tests, make sure that there is a good quantity of .cn TLD URIs in the
ham before drawing any conclusions.
Right, in adding things to the sandbox it does not necessarily mean I
suggest
On 10/03/2009 07:11 PM, John Hardin wrote:
[^./]{8}\.cn
Actually, doesn't this match other characters that shouldn't be in a
domain name?
...is _anything_ (apart from periods) excluded from domain names these
days? :)
Changed to \w{8} for testing. Can you provide examples of needing more
On Sat, 3 Oct 2009, Warren Togami wrote:
On 10/03/2009 07:50 PM, Adam Katz wrote:
8 is *extremely* important in Chinese culture. When running these
tests, make sure that there is a good quantity of .cn TLD URIs in the
ham before drawing any conclusions.
Right, in adding things to the
On Sat, 3 Oct 2009, Warren Togami wrote:
On 10/03/2009 07:11 PM, John Hardin wrote:
[^./]{8}\.cn
Actually, doesn't this match other characters that shouldn't be in a
domain name?
...is _anything_ (apart from periods) excluded from domain names these
days? :)
Changed to \w{8} for
Hi All,
Regarding the .cn oddity, I added these to my rules, and of about 79k
messages today so far, I have the following:
uri LOC_URI_CN m;^https?://[^/?]+\.cn\b;
uri T_CN_8_URL /[\/.]+\w{8}\.cn(?:$|\/|\?)/i
LOC_URI_CN: 2926
T_CN_8_URL: 1634
HTH,
Alex
On Thu, 1 Oct 2009, Warren Togami wrote:
uri T_CN_URL /[^\/]+\.cn(?:$|\/|\?)/i
describe T_CN_URL Contains a URL in the .cn domain
uri T_CN_8_URL /[\/.]+\w{8}\.cn(?:$|\/|\?)/i
describe T_CN_8_URL Contains a URL in the .cn domain of exactly 8 characters
long
John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
uri T_CN_URL /[^\/]+\.cn(?:$|\/|\?)/i
describe T_CN_URL Contains a URL in the .cn domain
uri T_CN_8_URL /[\/.]+\w{8}\.cn(?:$|\/|\?)/i
describe T_CN_8_URL Contains a URL in the .cn domain of exactly 8
characters long
On Thu, 1 Oct 2009, Ned Slider wrote:
John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
uri T_CN_URL /[^\/]+\.cn(?:$|\/|\?)/i
describe T_CN_URL Contains a URL in the .cn domain
uri T_CN_8_URL /[\/.]+\w{8}\.cn(?:$|\/|\?)/i
describe T_CN_8_URL Contains a URL in
On tor 01 okt 2009 18:26:01 CEST, John Hardin wrote
m;^https?://[^/?]+\.cn\b;
replace ; with / no ?
m/\bhttps?://[^/?]+\.cn\b/i
--
xpoint
From: John Hardin jhar...@impsec.org
Sent: Thursday, 2009/October/01 09:26
On Thu, 1 Oct 2009, Ned Slider wrote:
John Hardin wrote:
On Thu, 1 Oct 2009, Warren Togami wrote:
uri T_CN_URL /[^\/]+\.cn(?:$|\/|\?)/i
describe T_CN_URL Contains a URL in the .cn domain
uri T_CN_8_URL
On Thu, 1 Oct 2009, Benny Pedersen wrote:
On tor 01 okt 2009 18:26:01 CEST, John Hardin wrote
m;^https?://[^/?]+\.cn\b;
replace ; with / no ?
m/\bhttps?://[^/?]+\.cn\b/i
No. The point to m; is so that you can embed / in the RE without escaping
them. You are changing the RE delimiters.
On Thu, 1 Oct 2009, jdow wrote:
From: John Hardin jhar...@impsec.org
Yours may still hit .cn in the path part. May I suggest:
m;^https?://[^/?]+\.cn\b;
Regardless of their correctness, would you care to expound on the success
of these two rules, John? I like what works not
On 10/01/2009 01:05 PM, John Hardin wrote:
On Thu, 1 Oct 2009, jdow wrote:
From: John Hardin jhar...@impsec.org
Yours may still hit .cn in the path part. May I suggest:
m;^https?://[^/?]+\.cn\b;
Regardless of their correctness, would you care to expound on the success
of these two rules,
On 10/01/2009 01:16 PM, Warren Togami wrote:
On 10/01/2009 01:05 PM, John Hardin wrote:
On Thu, 1 Oct 2009, jdow wrote:
From: John Hardin jhar...@impsec.org
Yours may still hit .cn in the path part. May I suggest:
m;^https?://[^/?]+\.cn\b;
Regardless of their correctness, would you care
Warren Togami wrote:
On 10/01/2009 01:05 PM, John Hardin wrote:
On Thu, 1 Oct 2009, jdow wrote:
From: John Hardin jhar...@impsec.org
Yours may still hit .cn in the path part. May I suggest:
m;^https?://[^/?]+\.cn\b;
Regardless of their correctness, would you care to expound on the
From: Warren Togami wtog...@redhat.com
Sent: Thursday, 2009/October/01 10:24
On 10/01/2009 01:16 PM, Warren Togami wrote:
On 10/01/2009 01:05 PM, John Hardin wrote:
On Thu, 1 Oct 2009, jdow wrote:
From: John Hardin jhar...@impsec.org
Yours may still hit .cn in the path part. May I
From: Ned Slider n...@unixmail.co.uk
Sent: Thursday, 2009/October/01 10:48
Warren Togami wrote:
On 10/01/2009 01:05 PM, John Hardin wrote:
On Thu, 1 Oct 2009, jdow wrote:
From: John Hardin jhar...@impsec.org
Yours may still hit .cn in the path part. May I suggest:
On Thu, 1 Oct 2009, Warren Togami wrote:
The Oddity I was pointing out at the beginning of the thread is not
prevalence of .cn URI's, but rather most of them appear to be exactly 8
characters long. Could someone please commit my T_CN_8_URL rule to the
sandbox so we can see if that trend
uri T_CN_URL /[^\/]+\.cn(?:$|\/|\?)/i
describe T_CN_URL Contains a URL in the .cn domain
uri T_CN_8_URL /[\/.]+\w{8}\.cn(?:$|\/|\?)/i
describe T_CN_8_URL Contains a URL in the .cn domain of exactly 8
characters long
http://ruleqa.spamassassin.org/20090930-r820211-n/T_CN_URL/detail
44 matches
Mail list logo