russian spam with only two lines in the body

[Ibrahim Harrani <ib...@gmail.com>]

Hi,

Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4

All of their characteristic is that there are two line in the body.
First is a sentence, second is url ending with .ru/

How can I write a rule for this type of spam. Or can spamassassin team write
a rule to distribute via sa-learn update?


Thanks.

Re: russian spam with only two lines in the body

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2010-08-25 at 01:06 +0300, Ibrahim Harrani wrote:
> Recently, I am getting russian spam like at
> http://pastebin.com/Yf3AusJ4
> 
> All of their characteristic is that there are two line in the body.
> First is a sentence, second is url ending with .ru/

Hmm, I don't seem to have any problems with these. In fact, the samples
I just checked are scoring rather high. :)

Please do provide some full, raw samples with all headers, including the
SA headers. Without that information it is impossible to discuss
possible reasons.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: russian spam with only two lines in the body

[Martin Gregorie <ma...@gregorie.org>]

> Thus, based on my own observations, it looks like the value of rules in 
> this particular area is going to be in scoring stuff that arrives before 
> the domains show up in the various SURBLs.
> 
Quite possibly, though it seems to have been selectively targeted to
some extent: at least it doesn't seem to have shotgunned the entire
'net. I'm guessing that because: 

- it was bothering a few people on the list for a fair time
- it has apparently taken longer than that to get onto the SURBLS
  so presumably hadn't hit either their honeypots or any/many who
  would report it.
- I've never seen it here. I was simply feeling bored and wrote the
  set of patterns and meta as an exercise.


Martin

Re: russian spam with only two lines in the body

[NFN Smith <wo...@mail.com>]

Martin Gregorie wrote:

>
> Alternatively, using a meta rule that combines the above pattern as a
> sub-rule with two like this:
>
> /[a-z]{7,8}[0-9]{4}/
>
> that match against From: and Reply-To: headers  would appear to be
> fairly specific and worthy of a big score, but of course you'll have
> spotted that already.

That's the pattern I'm seeing on my own spamtraps -- messages that have 
4 numeric digits in both the From: and Reply-To: addresses.

However, in re-running some of my samples against rules that may do this 
kind of thing, I'm finding that all my samples are getting sufficient 
hits from external queries that the score is high enough to force 
rejection, anyway.

Thus, based on my own observations, it looks like the value of rules in 
this particular area is going to be in scoring stuff that arrives before 
the domains show up in the various SURBLs.

Smith

Re: russian spam with only two lines in the body

[Martin Gregorie <ma...@gregorie.org>]

On Wed, 2010-08-25 at 01:06 +0300, Ibrahim Harrani wrote:
> Hi,
> 
> Recently, I am getting russian spam like at
> http://pastebin.com/Yf3AusJ4
> 
> All of their characteristic is that there are two line in the body.
> First is a sentence, second is url ending with .ru/
> 
> How can I write a rule for this type of spam. Or can spamassassin team
> write a rule to distribute via sa-learn update?
> 
Its hard to see a pattern from those examples. However, if you can
guarantee that messages containing Russian addresses are always
unwanted, then 

uri BAN_RUS /www\..{1,16}\.ru/

with a big score would do it. 

Alternatively, using a meta rule that combines the above pattern as a
sub-rule with two like this:

/[a-z]{7,8}[0-9]{4}/  
  
that match against From: and Reply-To: headers  would appear to be
fairly specific and worthy of a big score, but of course you'll have
spotted that already.


Martin

Re: russian spam with only two lines in the body

[Benny Pedersen <me...@junc.org>]

On ons 25 aug 2010 04:29:02 CEST, Jason Haar wrote

> It's nasty :-(

rules can be nasty to :)

#
# save into local_russian_domains.cf
#

uri __RU_TLD /\.ru\b/i
uri __RU_TLD_WHITE /\bexample\.ru\b/i

meta __URI_LISTED (URIBL_AB_SURBL || URIBL_WS_SURBL || URIBL_JP_SURBL  
|| URIBL_BLACK || URIBL_DBL_SPAM || URIBL_SBL || GREY_LISTED_LOCAL ||  
SPAM_LISTED_LOCAL)

meta MATCH_RU_TLD (__RU_TLD && !__URI_LISTED)
describe MATCH_RU_TLD Meta: ru tld matched (properly new spam domain)
score MATCH_RU_TLD 10

# meta MATCH_RU_TLD_WHITE (__RU_TLD_WHITE)
# describe MATCH_RU_TLD_WHITE Meta: ru tld matched (but verified not a  
spam domain)
# score MATCH_RU_TLD_WHITE -10

# thats my first version

# meta 2ND_MATCH_RU_TLD_WHITE (__RU_TLD && !__RU_TLD_WHITE)
# this version does not need the -10 score

# last version

if it does not work make it better

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: russian spam with only two lines in the body

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2010-08-25 at 21:31 +0100, Martin Gregorie wrote:
> On Wed, 2010-08-25 at 21:16 +0200, Karsten Bräckelmann wrote:
> > http://pastebin.com/JAEuCSnC
> 
> > Uhm, that's not typical spam. It's actually forum / blog comment spam,
> > helpfully and automatically converted to a mail.
> 
> Sure, but its off topic and, however ineptly, its certainly advertising.
> That makes it spam in my book, no matter how it got into the mail
> stream.

IMHO, this is not entirely correct.

SA and its rules are designed to identify spam sent by mail. Not forum
spam. The important difference is, that the latter is *only* the text.

As a consequence, none of the header checks possibly apply. Which is a
very vital part of identifying spam. No DNSBLs, no forged or mangled
headers, no ratware patterns. But a valid(!) sender. The only thing left
in this case is the body.

Effectively, you are trying to use SA as a spam filter for a forum.
Which pretty much equals the situation that has come up recently a few
times: Check text entered in web-form. That is not what SA is designed
to do.


> A high proportion of the spam I receive arrives via Wine mailing list,
> usually originating from the Wine forum or Nabble: stuff from the
> Codeweavers forum is rare. This is probably because none of the Wine
> moderators/maintainers seem to give a toss about spam filtering.

There's your problem.

The forum-to-mail gateway has generated a message you consider spam. The
spammer did not generate a mail message, and probably didn't even intend
it. It's just an additional bonus.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: russian spam with only two lines in the body

[Martin Gregorie <ma...@gregorie.org>]

On Wed, 2010-08-25 at 21:16 +0200, Karsten Bräckelmann wrote:
> http://pastebin.com/JAEuCSnC

> Uhm, that's not typical spam. It's actually forum / blog comment spam,
> helpfully and automatically converted to a mail.
>
Sure, but its off topic and, however ineptly, its certainly advertising.
That makes it spam in my book, no matter how it got into the mail
stream.

A high proportion of the spam I receive arrives via Wine mailing list,
usually originating from the Wine forum or Nabble: stuff from the
Codeweavers forum is rare. This is probably because none of the Wine
moderators/maintainers seem to give a toss about spam filtering.


Martin

Re: russian spam with only two lines in the body

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2010-08-25 at 19:56 +0100, Martin Gregorie wrote:
> > > BTW, I'm now starting to see spam that doesn't contain any URIs or other
> > > ways of identifying a source for the goods being advertised. So far its
> > > been for examination aids and footware and has all been sent via a
> > > mailing list. Is anybody else seeing anything similar?

> http://pastebin.com/JAEuCSnC

Uhm, that's not typical spam. It's actually forum / blog comment spam,
helpfully and automatically converted to a mail.

  Received: from www-data by wine.codeweavers.com with local (Exim 4.69)
   (envelope-from <ww...@wine.codeweavers.com>) id 1Oo5Ji-0002X7-Gy
   for wine-users@winehq.org; Tue, 24 Aug 2010 21:02:18 -0500

And indeed, the Wine Users forum description on http://forum.winehq.org/
reads: "This forum is linked to the wine-users mailing list."


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: russian spam with only two lines in the body

[Martin Gregorie <ma...@gregorie.org>]

On Wed, 2010-08-25 at 20:04 +0200, Benny Pedersen wrote:
> On ons 25 aug 2010 13:37:57 CEST, Martin Gregorie wrote
> > BTW, I'm now starting to see spam that doesn't contain any URIs or other
> > ways of identifying a source for the goods being advertised. So far its
> > been for examination aids and footware and has all been sent via a
> > mailing list. Is anybody else seeing anything similar?
> >
> 
> i like to see them if possible
> 
> write REQUEST-81 case sensitive in body
> 
I've dug the most recent one out of my rule test messages collection:

http://pastebin.com/JAEuCSnC

I didn't keep the other recent one - it didn't contain anything
interesting apart from a good page of lines like:

ugg boots  ugg shoes  clark shoes


with typically 5 - 6 such phrases per line.


Martin

Re: russian spam with only two lines in the body

[Martin Gregorie <ma...@gregorie.org>]

On Wed, 2010-08-25 at 14:29 +1200, Jason Haar wrote:
> On 08/25/2010 10:06 AM, Ibrahim Harrani wrote:
> > Hi,
> >
> > Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4
> >
> > All of their characteristic is that there are two line in the body.
> > First is a sentence, second is url ending with .ru/
> >
> This is an example of what I reported a couple of weeks ago, Subject:
> "short pharma spam shoots straight through"
> 
> The content changes per message, along with the link. The From and
> Subject lines intent scream "I am spam" - but are changed every time
> making blocking on string matches time consuming and a losing battle
> 
I've now tested the rule I published last night against my collection of
280 odd examples of spam. It seems as specific as I'd hoped. It hit all
four example texts and doesn't touch anything else in the collection.

BTW, I'm now starting to see spam that doesn't contain any URIs or other
ways of identifying a source for the goods being advertised. So far its
been for examination aids and footware and has all been sent via a
mailing list. Is anybody else seeing anything similar?


Martin

Re: russian spam with only two lines in the body

[Jason Haar <Ja...@trimble.co.nz>]

 On 08/25/2010 10:06 AM, Ibrahim Harrani wrote:
> Hi,
>
> Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4
>
> All of their characteristic is that there are two line in the body.
> First is a sentence, second is url ending with .ru/
>
This is an example of what I reported a couple of weeks ago, Subject:
"short pharma spam shoots straight through"

The content changes per message, along with the link. The From and
Subject lines intent scream "I am spam" - but are changed every time
making blocking on string matches time consuming and a losing battle

It's nasty :-(

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1