You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rakesh <ra...@netcore.co.in> on 2005/05/07 08:40:53 UTC
Way to evade URI checks
Seems Spammers have found a way to evade the URI checks
the domain coolestrxever.com is listed in multi.surbl.org. But the
spammers managed to to evade the URI checks by appending special
charaters at the end of the url which are happily allowed by the browsers.
The spam that I recieved had
http://www.coolestrxever.com: (aa colon at the end of the url)
After a bit of R&D I found the other options for spammers to carry this
techinque
http://www.coolestrxever.com; (a semicolon)
http://www.coolestrxever.com, (a comma)
http://www.coolestrxever.com. (a fullstop)
http://www.coolestrxever.com? (a question mark)
With all these special characters at the end of url, URI checks tries to
make lookup as
debug: querying for coolestrxever.com:.sc.surbl.org
End result, passed the promising URI checks.
I am seeing the first of its kind of spam. If any version of
Spamassassin fixes this in its URI retrieval program please let me know
--
Regards,
Rakesh B. Pal
Project Leader
Emergic CleanMail Team.
Netcore Solutions Pvt. Ltd.
========================================================
Success is how high you reach after you hit the bottom.
========================================================
Re: Way to evade URI checks
Posted by Steven Stern <su...@sterndata.com>.
Rakesh wrote:
> Content preview: Seems Spammers have found a way to evade the URI
> checks the domain coolestrxever.com is listed in multi.surbl.org. But
> the spammers managed to to evade the URI checks by appending special
> charaters at the end of the url which are happily allowed by the
> browsers. [...]
>
> Content analysis details: (7.8 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
> [score: 0.0000]
> 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
> [URIs: coolestrxever.com]
> 0.5 URIBL_SBL_XBL Contains URL listed in the SBL-XBL DNSBL blocklist
> [URIs: coolestrxever.com]
> 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
> [URIs: coolestrxever.com]
> 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
> [URIs: coolestrxever.com]
> 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
> [URIs: coolestrxever.com]
>
>
--
Steve
RE: Way to evade URI checks
Posted by Bret Miller <br...@wcg.org>.
> > On 5/7/2005 8:40 AM +0200, Rakesh wrote:
> > > http://www.coolestrxever.com; (a semicolon)
> > > http://www.coolestrxever.com, (a comma)
> > > http://www.coolestrxever.com. (a fullstop)
> > > http://www.coolestrxever.com? (a question mark)
> >
> > add constantcontact.com) to the list.
Actually SpamAssassin 3.1.0-r169253 handles all of these already.
Bret
Re: Way to evade URI checks
Posted by jdow <jd...@earthlink.net>.
From: "Niek" <ni...@asbak.coding-slaves.com>
> On 5/7/2005 8:40 AM +0200, Rakesh wrote:
> > http://www.coolestrxever.com; (a semicolon)
> > http://www.coolestrxever.com, (a comma)
> > http://www.coolestrxever.com. (a fullstop)
> > http://www.coolestrxever.com? (a question mark)
>
> add constantcontact.com) to the list.
Add fubar.com type malformed URLs to the list. Some users are dumb
enough to cut and paste, I guess.
{^_-}
Re: Way to evade URI checks
Posted by Niek <ni...@asbak.coding-slaves.com>.
On 5/7/2005 8:40 AM +0200, Rakesh wrote:
> http://www.coolestrxever.com; (a semicolon)
> http://www.coolestrxever.com, (a comma)
> http://www.coolestrxever.com. (a fullstop)
> http://www.coolestrxever.com? (a question mark)
add constantcontact.com) to the list.
Niek
Re: Way to evade URI checks
Posted by Duncan Hill <sa...@nacnud.force9.co.uk>.
On Saturday 07 May 2005 07:40, Rakesh wrote:
> Seems Spammers have found a way to evade the URI checks
>
> the domain coolestrxever.com is listed in multi.surbl.org. But the
> spammers managed to to evade the URI checks by appending special
> charaters at the end of the url which are happily allowed by the browsers.
>
> The spam that I recieved had
>
> http://www.coolestrxever.com: (aa colon at the end of the url)
The latest plugin for SA 2.64 fixes the : part as far as I know, and possibly
fixes the other characters too. The : was first seen about 2 months ago I
think.
A fullstop is a legitmate character at the end of the hostname fragment of the
URL - that was discussed here within the past day I think.
RE: Way to evade URI checks
Posted by martin smith <ma...@ntlworld.com>.
M>-----Original Message-----
M>From: Rakesh [mailto:rakesh@netcore.co.in]
M>Sent: 07 May 2005 07:41
M>To: zones@lists.surbl.org; users@spamassassin.apache.org
M>Subject: Way to evade URI checks
M>
M>Seems Spammers have found a way to evade the URI checks
M>
M>the domain coolestrxever.com is listed in multi.surbl.org.
M>But the spammers managed to to evade the URI checks by
M>appending special charaters at the end of the url which are
M>happily allowed by the browsers.
M>
M>The spam that I recieved had
M>
M>http://www.coolestrxever.com: (aa colon at the end of the url)
M>
M>After a bit of R&D I found the other options for spammers to
M>carry this techinque
M>
M>http://www.coolestrxever.com; (a semicolon)
M>http://www.coolestrxever.com, (a comma)
M>http://www.coolestrxever.com. (a fullstop)
M>http://www.coolestrxever.com? (a question mark)
M>
M>With all these special characters at the end of url, URI
M>checks tries to make lookup as
M>
M>debug: querying for coolestrxever.com:.sc.surbl.org
M>
M>End result, passed the promising URI checks.
M>
M>I am seeing the first of its kind of spam. If any version of
M>Spamassassin fixes this in its URI retrieval program please
M>let me know
M>
M>--
There is a fix for these in the bugzilla, came in correctly caught by SURBL
here, using 3.0.2.
There is two fixes I have applied and seems to catch the URL split over
lines too, not sure if these are included in 3.0.3, I suspect this one is.
Martin