You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Paweł Tęcza <pt...@uw.edu.pl> on 2009/06/19 11:24:04 UTC
New www.medsXX.net spam
Hello People,
It's a new spam we have been getting for a few hours. It's very short,
with random subject and body. The constant element is domain address
like "(www meds35 net)" or "(www meds88 net)".
Below are a few samples:
http://pastebin.com/m5988eed
http://pastebin.com/m5835257
http://pastebin.com/m11b07539
Have a nice day,
P.
Re: [SA SPAM 1.4 ] Re: New www.medsXX.net spam
Posted by Paweł Tęcza <pt...@uw.edu.pl>.
Randal, Phil pisze:
> Paweł Tęcza wrote:
>> What's the rule for deliberately misspelled words?
>>
>> My best regards,
>>
>> Pawel
>
> In this country, at least, "misspelled" belongs in that list of misspelt words.
>
> Oh, don't we all love American English? *grin*
Hi Phil,
It's funny, isn't? :)
Sorry, if it was hurting for your pure British English ;) Simply my
typing was faster than my thinking :D
Have a nice weekend!
P.
Re: [SA SPAM 1.4 ] Re: New www.medsXX.net spam
Posted by mouss <mo...@ml.netoyen.net>.
Randal, Phil a écrit :
> Paweł Tęcza wrote:
>> Martin Gregorie pisze:
>>> On Fri, 2009-06-19 at 11:52 +0100, richard@buzzhost.co.uk wrote:
>>>> On Fri, 2009-06-19 at 11:24 +0200, Paweł Tęcza wrote:
>>>>> Hello People,
>>>>>
>>>>> It's a new spam we have been getting for a few hours. It's very
>>>>> short, with random subject and body. The constant element is
>>>>> domain address like "(www meds35 net)" or "(www meds88 net)".
>>>>>
>>> These are easy to trap.
>> Hello Martin,
>>
>> I have my own rule to catch that spam too :)
>>
>>> I added a match rule for that type of munged web address to my rule
>>> that lists pill shop names (pharmacy, apothecary,...) and used a meta
>>> to combine that with another rule that lists deliberately misspelled
>>> words that can occur in Subject or body.
>> What's the rule for deliberately misspelled words?
>>
>> My best regards,
>>
>> Pawel
>
> In this country, at least, "misspelled" belongs in that list of misspelt words.
>
> Oh, don't we all love American English? *grin*
>
http://www.askoxford.com/betterwriting/spelling/?view=uk
notice the title. (and also the entry for "misspell).
or are these american guys behind askoxford.com?
> Cheers,
>
> Phil
>
Re: [SA SPAM 1.4 ] Re: New www.medsXX.net spam
Posted by RW <rw...@googlemail.com>.
On Fri, 19 Jun 2009 14:19:11 +0100
"Randal, Phil" <pr...@herefordshire.gov.uk> wrote:
> In this country, at least, "misspelled" belongs in that list of
> misspelt words.
It doesn't, either is fine. It's just that in British English they're
both pronounced as misspelt. Misspelled is only an Americanism if
it's pronounced the way it's spelled.
RE: [SA SPAM 1.4 ] Re: New www.medsXX.net spam
Posted by "Randal, Phil" <pr...@herefordshire.gov.uk>.
Paweł Tęcza wrote:
> Martin Gregorie pisze:
>> On Fri, 2009-06-19 at 11:52 +0100, richard@buzzhost.co.uk wrote:
>>> On Fri, 2009-06-19 at 11:24 +0200, Paweł Tęcza wrote:
>>>> Hello People,
>>>>
>>>> It's a new spam we have been getting for a few hours. It's very
>>>> short, with random subject and body. The constant element is
>>>> domain address like "(www meds35 net)" or "(www meds88 net)".
>>>>
>> These are easy to trap.
>
> Hello Martin,
>
> I have my own rule to catch that spam too :)
>
>> I added a match rule for that type of munged web address to my rule
>> that lists pill shop names (pharmacy, apothecary,...) and used a meta
>> to combine that with another rule that lists deliberately misspelled
>> words that can occur in Subject or body.
>
> What's the rule for deliberately misspelled words?
>
> My best regards,
>
> Pawel
In this country, at least, "misspelled" belongs in that list of misspelt words.
Oh, don't we all love American English? *grin*
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal@herefordshire.gov.uk
Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.
This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
Re: [SA SPAM 1.4 ] Re: New www.medsXX.net spam
Posted by Paweł Tęcza <pt...@uw.edu.pl>.
Martin Gregorie pisze:
> On Fri, 2009-06-19 at 11:52 +0100, richard@buzzhost.co.uk wrote:
>> On Fri, 2009-06-19 at 11:24 +0200, Paweł Tęcza wrote:
>> > Hello People,
>> >
>> > It's a new spam we have been getting for a few hours. It's very short,
>> > with random subject and body. The constant element is domain address
>> > like "(www meds35 net)" or "(www meds88 net)".
>> >
> These are easy to trap.
Hello Martin,
I have my own rule to catch that spam too :)
> I added a match rule for that type of munged web address to my rule that
> lists pill shop names (pharmacy, apothecary,...) and used a meta to
> combine that with another rule that lists deliberately misspelled words
> that can occur in Subject or body.
What's the rule for deliberately misspelled words?
My best regards,
Pawel
Re: [SA SPAM 1.4 ] Re: New www.medsXX.net spam
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2009-06-19 at 11:52 +0100, richard@buzzhost.co.uk wrote:
> On Fri, 2009-06-19 at 11:24 +0200, Paweł Tęcza wrote:
> > Hello People,
> >
> > It's a new spam we have been getting for a few hours. It's very short,
> > with random subject and body. The constant element is domain address
> > like "(www meds35 net)" or "(www meds88 net)".
> >
These are easy to trap.
I added a match rule for that type of munged web address to my rule that
lists pill shop names (pharmacy, apothecary,...) and used a meta to
combine that with another rule that lists deliberately misspelled words
that can occur in Subject or body.
Martin
[SA SPAM 1.4 ] Re: New www.medsXX.net spam
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Fri, 2009-06-19 at 11:24 +0200, Paweł Tęcza wrote:
> Hello People,
>
> It's a new spam we have been getting for a few hours. It's very short,
> with random subject and body. The constant element is domain address
> like "(www meds35 net)" or "(www meds88 net)".
>
> Below are a few samples:
>
> http://pastebin.com/m5988eed
> http://pastebin.com/m5835257
> http://pastebin.com/m11b07539
>
> Have a nice day,
>
> P.
>
>
Seen a few myself but had to dig them out of the bin as I have a filter
before SA blocking dynamic ADSL clients:
dynamic-adsl-94-38-33-2.clienti.tiscali.it [94.38.33.2]
Re: New www.medsXX.net spam
Posted by Paweł Tęcza <pt...@uw.edu.pl>.
Benny Pedersen pisze:
> On Fri, June 19, 2009 11:24, Pawe? T?cza wrote:
>> Hello People,
>
>> http://pastebin.com/m5988eed
>
> are you sure you want email To: root@uw.edu.pl from outside world ?
>
> assume its the envelope recipient, if not just ignore me :)
>
> check your aliases in mta
Hello Benny,
root@uw.edu.pl is only alias. We have postmaster@uw.edu.pl alias too,
but there not the same aliases :)
>> http://pastebin.com/m5835257
>
> same here To: mailer-daemon@student.uw.edu.pl is mailer-daemon one that
> works local to you ?, if no then its clearly spam bounces or non working
> remote mta
It's a next alias :)
>> http://pastebin.com/m11b07539
>
> your mta/sa is running on ipv6 host, ipv6 is not supported very well in
> sa, thats why you get low scores
>
>> Have a nice day,
>
> no problem
Thanks a lot for your comments! :)
P.
Re: New www.medsXX.net spam
Posted by Benny Pedersen <me...@junc.org>.
On Fri, June 19, 2009 11:24, Pawe? T?cza wrote:
> Hello People,
> http://pastebin.com/m5988eed
are you sure you want email To: root@uw.edu.pl from outside world ?
assume its the envelope recipient, if not just ignore me :)
check your aliases in mta
> http://pastebin.com/m5835257
same here To: mailer-daemon@student.uw.edu.pl is mailer-daemon one that
works local to you ?, if no then its clearly spam bounces or non working
remote mta
> http://pastebin.com/m11b07539
your mta/sa is running on ipv6 host, ipv6 is not supported very well in
sa, thats why you get low scores
> Have a nice day,
no problem
--
xpoint
Re: New www.medsXX.net spam
Posted by John Hardin <jh...@impsec.org>.
On Sun, 2009-06-21 at 23:21 +0200, mouss wrote:
> John Hardin a écrit :
>
> > /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
>
> you can replace "meds" by "(meds|shop)" to catch the "www shop95 net"
> variants.
body URI_OBFU_MEDSHOP /\(\s?w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|
org)\s?\)/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: New www.medsXX.net spam
Posted by mouss <mo...@ml.netoyen.net>.
John Hardin a écrit :
> On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
>> On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
>>>>> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
>>> I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
>>> or a feature? :)
>> That depends. If the URIs are always lowercasein the spams, making the
>> RE case-insensitive doesn't help and may hurt.
>>
>>> BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
>>> \d{1,4}.
>> No, it's not. In SA, unbounded matches are hazardous and should be
>> avoided. {0,20} is safer than * and {1,20} is safer than +.
>>
>> This is not a general rule, it only applies where the text being scanned
>> is from an untrusted (and possibly actively hostile) source.
>>
>> Another improvement: add word boundaries at the beginning and end:
>>
>> /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/
>>
>> If the parentheses in the original example are actually in the message,
>> including them will help to. Are they actually in the message?
>
> D'oh, /me checks pastebins from first message...
>
> Also, body rules match cleaned-up text with runs of spaces collapsed, so
> you don't need to use + or {1,...}
>
> Try this:
>
> /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
>
you can replace "meds" by "(meds|shop)" to catch the "www shop95 net"
variants.
Re: New www.medsXX.net spam
Posted by Paweł Tęcza <pt...@uw.edu.pl>.
Dnia 2009-06-19, pią o godzinie 09:45 -0700, John Hardin pisze:
> On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
> > On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
> > >
> > > >> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
> > >
> > > I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
> > > or a feature? :)
> >
> > That depends. If the URIs are always lowercasein the spams, making the
> > RE case-insensitive doesn't help and may hurt.
Hi John,
I could see only lowercase URIs, but I rather prefer case-insensitive
rules. Simply I don't want to get a lot of spam, because the spammer
read that thread and changed only one letter :)
> > > BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
> > > \d{1,4}.
> >
> > No, it's not. In SA, unbounded matches are hazardous and should be
> > avoided. {0,20} is safer than * and {1,20} is safer than +.
> >
> > This is not a general rule, it only applies where the text being scanned
> > is from an untrusted (and possibly actively hostile) source.
> >
> > Another improvement: add word boundaries at the beginning and end:
> >
> > /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/
Thanks a lot for your tips! It's next valuable lesson for me today :)
> > If the parentheses in the original example are actually in the message,
> > including them will help to. Are they actually in the message?
Yes, I can see the parentheses in all the spam messages I received. But
spammers can remove them soon, of course.
> D'oh, /me checks pastebins from first message...
>
> Also, body rules match cleaned-up text with runs of spaces collapsed, so
> you don't need to use + or {1,...}
>
> Try this:
>
> /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
Yes, I noticed it when I was testing my own rule:
[1438] dbg: rules: ran body rule LOCAL_BODY_WWW_MEDSXX_NET ======> got
hit: "(www meds88 net)"
My best regards,
Pawel
Re: New www.medsXX.net spam
Posted by Jeremy Morton <ad...@game-point.net>.
Ah, OK, I was using it as a 'full' rule.
Best regards,
Jeremy Morton (Jez)
John Hardin wrote:
> On Sat, 20 Jun 2009, Jeremy Morton wrote:
>
>> John Hardin wrote:
>>> D'oh, /me checks pastebins from first message...
>>>
>>> Also, body rules match cleaned-up text with runs of spaces collapsed,
>>> so you don't need to use + or {1,...}
>>>
>>> Try this:
>>>
>>> /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
>>
>> Actually, I don't know where you get that idea from; as far as I can
>> tell, the SA rules are matching the original message text, not text
>> with runs of spaces collapsed; so that regex doesn't work for the vast
>> majority of those medsXX spams for me. I had to modify it to this:
>>
>> /\(\s*w{2,4}\s+meds\d{1,4}\s+(?:net|com|org)\s*\)/m
>>
>> Which matches something like '(www meds30 org)'... whereas your
>> suggested one doesn't
>
> Note I said "body rules". I did test the sample message against that
> rule before posting it. Are you using that RE in a rawbody rule?
>
> If you want to see for yourself, put a rule like this into your test
> framework:
>
> body ALL_BODY /.+/
> tflags ALL_BODY multiple
>
> ...and run a test message with lots of whitespace through it. You'll see
> exactly what body rules are trying to match against.
>
>> (first www has a space AND a tab after it).
>
> *that* I did not specifically test against, 'ang on...
>
> ...yep, the RE I posted matches on "(www [tab] meds88 net)" when used in
> a body rule.
>
Re: New www.medsXX.net spam
Posted by John Hardin <jh...@impsec.org>.
On Sat, 20 Jun 2009, Jeremy Morton wrote:
> John Hardin wrote:
>> D'oh, /me checks pastebins from first message...
>>
>> Also, body rules match cleaned-up text with runs of spaces collapsed,
>> so you don't need to use + or {1,...}
>>
>> Try this:
>>
>> /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
>
> Actually, I don't know where you get that idea from; as far as I can tell,
> the SA rules are matching the original message text, not text with runs of
> spaces collapsed; so that regex doesn't work for the vast majority of those
> medsXX spams for me. I had to modify it to this:
>
> /\(\s*w{2,4}\s+meds\d{1,4}\s+(?:net|com|org)\s*\)/m
>
> Which matches something like '(www meds30 org)'... whereas your
> suggested one doesn't
Note I said "body rules". I did test the sample message against that rule
before posting it. Are you using that RE in a rawbody rule?
If you want to see for yourself, put a rule like this into your test
framework:
body ALL_BODY /.+/
tflags ALL_BODY multiple
...and run a test message with lots of whitespace through it. You'll see
exactly what body rules are trying to match against.
> (first www has a space AND a tab after it).
*that* I did not specifically test against, 'ang on...
...yep, the RE I posted matches on "(www [tab] meds88 net)" when used in
a body rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Liberals love sex ed because it teaches kids to be safe around their
sex organs. Conservatives love gun education because it teaches kids
to be safe around guns. However, both believe that the other's
education goals lead to dangers too terrible to contemplate.
-----------------------------------------------------------------------
14 days until the 233rd anniversary of the Declaration of Independence
Re: New www.medsXX.net spam
Posted by Jeremy Morton <ad...@game-point.net>.
John Hardin wrote:
> D'oh, /me checks pastebins from first message...
>
> Also, body rules match cleaned-up text with runs of spaces collapsed, so
> you don't need to use + or {1,...}
>
> Try this:
>
> /\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
>
Actually, I don't know where you get that idea from; as far as I can
tell, the SA rules are matching the original message text, not text with
runs of spaces collapsed; so that regex doesn't work for the vast
majority of those medsXX spams for me. I had to modify it to this:
/\(\s*w{2,4}\s+meds\d{1,4}\s+(?:net|com|org)\s*\)/m
Which matches something like '(www meds30 org)'... whereas your
suggested one doesn't (first www has a space AND a tab after it).
Best regards,
Jeremy Morton (Jez)
Re: New www.medsXX.net spam
Posted by John Hardin <jh...@impsec.org>.
On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
> On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
> >
> > >> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
> >
> > I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
> > or a feature? :)
>
> That depends. If the URIs are always lowercasein the spams, making the
> RE case-insensitive doesn't help and may hurt.
>
> > BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
> > \d{1,4}.
>
> No, it's not. In SA, unbounded matches are hazardous and should be
> avoided. {0,20} is safer than * and {1,20} is safer than +.
>
> This is not a general rule, it only applies where the text being scanned
> is from an untrusted (and possibly actively hostile) source.
>
> Another improvement: add word boundaries at the beginning and end:
>
> /\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/
>
> If the parentheses in the original example are actually in the message,
> including them will help to. Are they actually in the message?
D'oh, /me checks pastebins from first message...
Also, body rules match cleaned-up text with runs of spaces collapsed, so
you don't need to use + or {1,...}
Try this:
/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: New www.medsXX.net spam
Posted by John Hardin <jh...@impsec.org>.
On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
>
> >> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
>
> I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
> or a feature? :)
That depends. If the URIs are always lowercasein the spams, making the
RE case-insensitive doesn't help and may hurt.
> BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
> \d{1,4}.
No, it's not. In SA, unbounded matches are hazardous and should be
avoided. {0,20} is safer than * and {1,20} is safer than +.
This is not a general rule, it only applies where the text being scanned
is from an untrusted (and possibly actively hostile) source.
Another improvement: add word boundaries at the beginning and end:
/\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/
If the parentheses in the original example are actually in the message,
including them will help to. Are they actually in the message?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: New www.medsXX.net spam
Posted by Paweł Tęcza <pt...@uw.edu.pl>.
Paweł Tęcza pisze:
> McDonald, Dan pisze:
>> On Fri, 2009-06-19 at 11:24 +0200, Paweł Tęcza wrote:
>>> Hello People,
>>>
>>> It's a new spam we have been getting for a few hours. It's very short,
>>> with random subject and body. The constant element is domain address
>>> like "(www meds35 net)" or "(www meds88 net)".
>>
>> This is what I'm using to catch them. It's caught 675 since yesterday afternoon.
>>
>> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
>> describe AE_MEDS35 obfuscated domain seen in spam
>> score AE_MEDS35 3.00
>>
>> I might have to increase the size of the \s from 4....
>
> Hello Dan,
>
> My rule is similar to yours, but it's simpler. Probably it's good idea
> to check .com and .org domains too, so I'll improve my rule. I've also
> set higher score.
I've just noticed "missing" 'i' switch for your rule regexp. Is it a bug
or a feature? :)
BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
\d{1,4}.
Cheers,
P.
Re: New www.medsXX.net spam
Posted by Paweł Tęcza <pt...@uw.edu.pl>.
McDonald, Dan pisze:
> On Fri, 2009-06-19 at 11:24 +0200, Paweł Tęcza wrote:
>> Hello People,
>>
>> It's a new spam we have been getting for a few hours. It's very short,
>> with random subject and body. The constant element is domain address
>> like "(www meds35 net)" or "(www meds88 net)".
>
> This is what I'm using to catch them. It's caught 675 since yesterday afternoon.
>
> body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
> describe AE_MEDS35 obfuscated domain seen in spam
> score AE_MEDS35 3.00
>
> I might have to increase the size of the \s from 4....
Hello Dan,
My rule is similar to yours, but it's simpler. Probably it's good idea
to check .com and .org domains too, so I'll improve my rule. I've also
set higher score.
Cheers,
Pawel
Re: New www.medsXX.net spam
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Fri, 2009-06-19 at 11:24 +0200, Paweł Tęcza wrote:
> Hello People,
>
> It's a new spam we have been getting for a few hours. It's very short,
> with random subject and body. The constant element is domain address
> like "(www meds35 net)" or "(www meds88 net)".
This is what I'm using to catch them. It's caught 675 since yesterday afternoon.
body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00
I might have to increase the size of the \s from 4....
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com