Right: the suggested pattern is working great, but there are some variants as KAM says.
However I sense that these are not the same bots. The one with the "date
in body" is always the same (the spammer only changed the date format).
I heard about a cross site botnet exploit on Yahoo! and third party
website, but did not digged into that.
Here is what is working fine for me:
body __AJB_DATE_IN_BODY
m'\d{1,2}/\d{1,2}/\d{4}\s(\d{1,2}:){2}\d{2} [AP]M'
uri __AJB_RANDOMURI
m'/[a-z]{2,10}/[a-z1-9]{1,30}(\.[a-z1-9]{1,10}\?[a-z1-9]{1,30}|[\=\&][a-z1-9]{1,30})'
meta AJB_YAHOO_BOT AJB_REALYAHOO && HTML_MESSAGE &&
__AJB_DATE_IN_BODY && __AJB_RANDOMURI
score AJB_YAHOO_BOT 10.0
meta AJB_REALYAHOO __AJB_FROM_YAHOO && __RCVD_YAHOO
header __AJB_FROM_YAHOO From:addr =~ /\@yahoo\.c(a|om)/i
header __RCVD_YAHOO Received =~ m'\.yahoo\.c(a|om) .+ by
\S+\.zerospam\.ca'm
Pretty the same as what David suggests :-)
Also noticed that the To:, Reply-To: headers and the name in the
signature in the body matches. Wanted to code a plugin but the previous
rules are doing the job so...
Alex, from prypiat.
Yes, I recycle.
On 13-03-01 12:49 PM, Kevin A. McGrail wrote:
> On 3/1/2013 12:43 PM, David F. Skoll wrote:
>> These are the common elements as far as I can see in the text/plain part
>> of the spam:
>>
>> 1) The URL always matches this regex:
>>
>> http://\S+/\S+\.\s+\?
>>
>> In other words, there's always a dot in the URL (not counting the dots
>> in the domain name itself) and a question mark.
>>
>> 2) The URL is then followed by possible whitespace and the name or
>> address
>> of the sender.
>>
>> 3) This is followed by more possible whitespace and then the date and
>> time in a format that matches this regex:
>>
>> \d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2} [AP]M
>>
>> Can others confirm this pattern?
> I can confirm this is ONE of the patterns we've seen but we have seen
> other variations.
>
> For example, here's one from yesterday that you'll note forges my
> brother as the sender:
>
> Return-Path: <rasiel_mongad...@yahoo.com>
> Received: from nm7.bullet.mail.gq1.yahoo.com
> (nm7.bullet.mail.gq1.yahoo.com [98.136.218.72])
> by intel1.peregrinehw.com (8.14.5/8.14.5) with SMTP id r1SI2WHg008621
> for <kmcgr...@peregrinehw.com>; Thu, 28 Feb 2013 13:02:33 -0500
> Received: from [98.137.12.61] by nm7.bullet.mail.gq1.yahoo.com with
> NNFMP; 28 Feb 2013 18:02:31 -0000
> Received: from [208.71.42.212] by tm6.bullet.mail.gq1.yahoo.com with
> NNFMP; 28 Feb 2013 18:02:31 -0000
> Received: from [127.0.0.1] by smtp223.mail.gq1.yahoo.com with NNFMP;
> 28 Feb 2013 18:02:31 -0000
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com;
> s=s1024; t=1362074551;
> bh=O2aFzcTOvDvCQALZoONOlZmCJiqlFu6WnhUAJG1clGI=;
> h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:From:Reply-To:Subject:Date:To;
> b=5sIC6wpAChfKFdhlWmr4OhjWCpNoMhTdxsbWPAIXYyD3f+O4QKMatwXxL7uvHeFc5TD//q4hW0HQDVJ+f/XJq71XHuBeWLySuYceP9ZP5gMRMnAR8uM9o9rWw0vnwSd7+3H3ff1rCd2FunGswYwlNAG5yz79uYE7xe+sXw5qs3c=
>
> X-Yahoo-Newman-Id: 533489.47072...@smtp223.mail.gq1.yahoo.com
> Message-ID: <533489.47072...@smtp223.mail.gq1.yahoo.com>
> X-Yahoo-Newman-Property: ymail-3
> X-YMail-OSG: jRlM9PUVM1m1fvPhWPzSnQEReLcFyK.eiCoVEK16XkMJTsp
> FUuOvETyd8ee4KmT2FuoE1n9krae3pEbGP2MbvtNXR6sdYnhJIxvfdiuEtob
> wr1ipSssPLDugG_B3KfoWpLJZs0YjG5TMqqVzDGih3D11pGQfAY6w.mgoOWY
> Vemeo4DqHYY8XYokWdUpIh65s1dDZlNaYvlqfF1MZudo2pV6wlPm_rMDWHvP
> DNawGoHaZr3qyELnp7ElYqt8BCCs0hushH3dTtn.mVpUMrTv3GzPnkMMGCvR
> O9U8mO_UIFwTMrWvkkzLcMKqdKdukq8.cPSh8VY5TRg_Xih7mDsVxksEIVcE
> OCOEMbBw9uApP4oRpc.pBlu9eDntaPpiUUPhpb9xxkQw4lcLJkx0RTt0GYD3
> uAMLNtukwnvce54PkLZl3JrIDGhvQuhKnZxYyRsne49aNjP11_3wZUo8wlvg
> guHiLuHcqkFb6lusTYz41fCHrSJ6VTYxwqlQcA0DioWPWPDZmkjLtrc2aER1
> MbKjYki6ceeLXQT21DGdb9Gui.eE43RA2Ix6qqTYRddM-
> X-Yahoo-SMTP: bHYtILuswBDzs9L.FhYpFEHr7NQ0kndD9GjKbx8-
> Received: from localhost (rasiel_mongado29@200.121.59.161 with login)
> by smtp223.mail.gq1.yahoo.com with SMTP; 28 Feb 2013 10:02:31
> -0800 PST
> From: TOBY MCGRAIL <rasiel_mongad...@yahoo.com>
> Reply-To: TOBY MCGRAIL <tvfdkmn...@yahoo.com>
> Subject: KEVIN
> Date: Thu, 28 Feb 2013 10:05:47 -0800 (PST)
> To: Kevin <kmcgr...@peregrinehw.com>
>
> kevin, hey. look what I found!
> http://www.deguciumd-munged.lt/answerbabykevingreen/
>
>
> regards,
> KAM
signature.asc
Description: OpenPGP digital signature
