Right: the suggested pattern is working great, but there are some variants as KAM says.
However I sense that these are not the same bots. The one with the "date in body" is always the same (the spammer only changed the date format). I heard about a cross site botnet exploit on Yahoo! and third party website, but did not digged into that. Here is what is working fine for me: body __AJB_DATE_IN_BODY m'\d{1,2}/\d{1,2}/\d{4}\s(\d{1,2}:){2}\d{2} [AP]M' uri __AJB_RANDOMURI m'/[a-z]{2,10}/[a-z1-9]{1,30}(\.[a-z1-9]{1,10}\?[a-z1-9]{1,30}|[\=\&][a-z1-9]{1,30})' meta AJB_YAHOO_BOT AJB_REALYAHOO && HTML_MESSAGE && __AJB_DATE_IN_BODY && __AJB_RANDOMURI score AJB_YAHOO_BOT 10.0 meta AJB_REALYAHOO __AJB_FROM_YAHOO && __RCVD_YAHOO header __AJB_FROM_YAHOO From:addr =~ /\@yahoo\.c(a|om)/i header __RCVD_YAHOO Received =~ m'\.yahoo\.c(a|om) .+ by \S+\.zerospam\.ca'm Pretty the same as what David suggests :-) Also noticed that the To:, Reply-To: headers and the name in the signature in the body matches. Wanted to code a plugin but the previous rules are doing the job so... Alex, from prypiat. Yes, I recycle. On 13-03-01 12:49 PM, Kevin A. McGrail wrote: > On 3/1/2013 12:43 PM, David F. Skoll wrote: >> These are the common elements as far as I can see in the text/plain part >> of the spam: >> >> 1) The URL always matches this regex: >> >> http://\S+/\S+\.\s+\? >> >> In other words, there's always a dot in the URL (not counting the dots >> in the domain name itself) and a question mark. >> >> 2) The URL is then followed by possible whitespace and the name or >> address >> of the sender. >> >> 3) This is followed by more possible whitespace and then the date and >> time in a format that matches this regex: >> >> \d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2} [AP]M >> >> Can others confirm this pattern? > I can confirm this is ONE of the patterns we've seen but we have seen > other variations. > > For example, here's one from yesterday that you'll note forges my > brother as the sender: > > Return-Path: <rasiel_mongad...@yahoo.com> > Received: from nm7.bullet.mail.gq1.yahoo.com > (nm7.bullet.mail.gq1.yahoo.com [98.136.218.72]) > by intel1.peregrinehw.com (8.14.5/8.14.5) with SMTP id r1SI2WHg008621 > for <kmcgr...@peregrinehw.com>; Thu, 28 Feb 2013 13:02:33 -0500 > Received: from [98.137.12.61] by nm7.bullet.mail.gq1.yahoo.com with > NNFMP; 28 Feb 2013 18:02:31 -0000 > Received: from [208.71.42.212] by tm6.bullet.mail.gq1.yahoo.com with > NNFMP; 28 Feb 2013 18:02:31 -0000 > Received: from [127.0.0.1] by smtp223.mail.gq1.yahoo.com with NNFMP; > 28 Feb 2013 18:02:31 -0000 > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; > s=s1024; t=1362074551; > bh=O2aFzcTOvDvCQALZoONOlZmCJiqlFu6WnhUAJG1clGI=; > h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:From:Reply-To:Subject:Date:To; > b=5sIC6wpAChfKFdhlWmr4OhjWCpNoMhTdxsbWPAIXYyD3f+O4QKMatwXxL7uvHeFc5TD//q4hW0HQDVJ+f/XJq71XHuBeWLySuYceP9ZP5gMRMnAR8uM9o9rWw0vnwSd7+3H3ff1rCd2FunGswYwlNAG5yz79uYE7xe+sXw5qs3c= > > X-Yahoo-Newman-Id: 533489.47072...@smtp223.mail.gq1.yahoo.com > Message-ID: <533489.47072...@smtp223.mail.gq1.yahoo.com> > X-Yahoo-Newman-Property: ymail-3 > X-YMail-OSG: jRlM9PUVM1m1fvPhWPzSnQEReLcFyK.eiCoVEK16XkMJTsp > FUuOvETyd8ee4KmT2FuoE1n9krae3pEbGP2MbvtNXR6sdYnhJIxvfdiuEtob > wr1ipSssPLDugG_B3KfoWpLJZs0YjG5TMqqVzDGih3D11pGQfAY6w.mgoOWY > Vemeo4DqHYY8XYokWdUpIh65s1dDZlNaYvlqfF1MZudo2pV6wlPm_rMDWHvP > DNawGoHaZr3qyELnp7ElYqt8BCCs0hushH3dTtn.mVpUMrTv3GzPnkMMGCvR > O9U8mO_UIFwTMrWvkkzLcMKqdKdukq8.cPSh8VY5TRg_Xih7mDsVxksEIVcE > OCOEMbBw9uApP4oRpc.pBlu9eDntaPpiUUPhpb9xxkQw4lcLJkx0RTt0GYD3 > uAMLNtukwnvce54PkLZl3JrIDGhvQuhKnZxYyRsne49aNjP11_3wZUo8wlvg > guHiLuHcqkFb6lusTYz41fCHrSJ6VTYxwqlQcA0DioWPWPDZmkjLtrc2aER1 > MbKjYki6ceeLXQT21DGdb9Gui.eE43RA2Ix6qqTYRddM- > X-Yahoo-SMTP: bHYtILuswBDzs9L.FhYpFEHr7NQ0kndD9GjKbx8- > Received: from localhost (rasiel_mongado29@200.121.59.161 with login) > by smtp223.mail.gq1.yahoo.com with SMTP; 28 Feb 2013 10:02:31 > -0800 PST > From: TOBY MCGRAIL <rasiel_mongad...@yahoo.com> > Reply-To: TOBY MCGRAIL <tvfdkmn...@yahoo.com> > Subject: KEVIN > Date: Thu, 28 Feb 2013 10:05:47 -0800 (PST) > To: Kevin <kmcgr...@peregrinehw.com> > > kevin, hey. look what I found! > http://www.deguciumd-munged.lt/answerbabykevingreen/ > > > regards, > KAM
signature.asc
Description: OpenPGP digital signature