On Tue, 2009-02-24 at 17:59 +0100, Per Jessen wrote:
> Karsten Bräckelmann wrote:
> Yeah, I guess I was in a hurry - but actually, they barely hit anything,
> only DKIM_SIGNED and DKIM_VERIFIED. I've added my own rule:
>
> uri PJ_GOOGLEGRP_DODGYURI m'www\.google\.com/.*\.\..*/group/'i
> which catches some, but none of the examples.
It *does* catch your examples 1, 2, 3 and 6. Moreover with your score of
4, that makes it identified spam.
* 4.0 PJ_GOOGLEGRP_DODGYURI URI: PJ_GOOGLEGRP_DODGYURI
* 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
> > Given *these* samples (still don't know about Johann's though), I'd go
> > the same way as Jason and Ned. Not scoring a whopping 5, but creating
> > a bunch of specialized, moderately scoring rules. I've done that in
> > the past often enough.
>
> Yeah, me too - the problem with these are that you really need to do
> what Johann suggested and fetch them to get the redirect. Which is out
> of the question whilst the email is being processed. I'm thinking of
> maybe doing a temp reject after end-of-DATA and then checking the URL
> off-line.
I still strongly advice against fetching URIs. Unless, maybe, for some
very specific ones, ensuring they don't verify the recipients address in
any way.
Given the question mark in some of the samples -- is there any way for
google group managers to get these stats? If so, that makes it one cool
way to phone home and match addresses against IDs.
> > However, there are some highly abusive patterns sticking out. A google
> > URI with a ../ in the path? Sure! Score 2. :)
> > Alternating alpha and
> > numbers might be worth another point. A question mark in a google
> > groups URI? Punish that.
>
> Good point, I hadn't spotted that one.
Nice to see it helped spotting the problem and fixing such a rule. :)
(According to your follow-up.)
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
