You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by MySQL Student <my...@gmail.com> on 2009/09/11 00:28:13 UTC
URL rule creation question
Hi all,
I've seen this pattern in spam quite a bit lately:
href="http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69
.61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66.
62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO"
Would it be reasonable to create a rule that looks for this two-char
then dot pattern, or is it reasonable that it might appear in a
legitimate email too frequently? If possible, how would you create a
rule to capture this?
Thanks,
Alex
Re: URL rule creation question
Posted by Matt Kettler <mk...@verizon.net>.
McDonald, Dan wrote:
>
> From: Matt Kettler [mailto:mkettler_sa@verizon.net]
>
> >This rule should detect 10 consecutive occurrences.
> >uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10}
>
> >Warning: I wrote this quickly without too much thought. It may have
> >bugs, but I'm short on time at the moment.
>
> your variant would require two periods in a row between each pair.
>
So it would... Hence the warning :)
RE: URL rule creation question
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
From: Matt Kettler [mailto:mkettler_sa@verizon.net]
>This rule should detect 10 consecutive occurrences.
>uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10}
>Warning: I wrote this quickly without too much thought. It may have
>bugs, but I'm short on time at the moment.
your variant would require two periods in a row between each pair.
Re: URL rule creation question
Posted by Matt Kettler <mk...@verizon.net>.
MySQL Student wrote:
> Hi all,
>
> I've seen this pattern in spam quite a bit lately:
>
>
<snip - URI that verizon won't let me send>
> Would it be reasonable to create a rule that looks for this two-char
> then dot pattern, or is it reasonable that it might appear in a
> legitimate email too frequently? If possible, how would you create a
> rule to capture this?
>
This rule should detect 10 consecutive occurrences.
uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10}
I do think that 4-in-a-row might be pretty common (ie: IP addresses),
but 10 in a row seems unlikely.
Warning: I wrote this quickly without too much thought. It may have
bugs, but I'm short on time at the moment.
Re: URL rule creation question
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Thu, 2009-09-10 at 18:28 -0400, MySQL Student wrote:
> Hi all,
>
> I've seen this pattern in spam quite a bit lately:
>
> href="http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69
> .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66.
> 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO"
>
> Would it be reasonable to create a rule that looks for this two-char
> then dot pattern, or is it reasonable that it might appear in a
> legitimate email too frequently? If possible, how would you create a
> rule to capture this?
uri URI_HEX_DOTTED /(?:[[:xdigit:]]{2}\.){10}/
That would look for 10 two-digit hex numbers separated by periods in a
url. Figure if you have at least 10 of them, its probably a match...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
Re: URL rule creation question
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-09-11 at 12:43 -0700, John Hardin wrote:
> \s is the proper way to represent whitespace.
True. However, in all rule types that use rendered text, there is only a
space -- no tabs. Well, there are newlines, but that doesn't matter
unless you use special modifiers. ;)
Actually, this reminds me -- if Alex is writing his rule as a body rule,
the text parts are rendered and normalized. This effectively means any
number of consecutive whitespace (within a paragraph) will be condensed
to a single space.
Thus /a b/ and /a {1,5}b/ become identical.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: URL rule creation question
Posted by MySQL Student <my...@gmail.com>.
>>> \s is the proper way to represent whitespace.
>>
>> lol, yes, I know that; I was actually trying to match 's' and the
>> slash is the start of the pattern match.
>
> I wasn't referring to the beginning of the RE.
Yeah, I realized that just after I sent this, if anyone cares :-)
Thanks again,
Alex
Re: URL rule creation question
Posted by John Hardin <jh...@impsec.org>.
On Fri, 11 Sep 2009, MySQL Student wrote:
> I'd like to create a rule that matches a specific letter and up to 5
> spaces after it, repeated ten times. I'm thinking something like this:
>
> /s\ {5}o\ {5}n\ {5}i\ {5}c\ {5}\ m\ {5}e\ {5}d\ {5}i\ {5}a/i
\s is the proper way to represent whitespace.
{5} is exactly 5. 1-5 would be {1,5}, and 0-5 would be {,5}
> I'm still learning regex's, so hopefully this isn't too far off. The
> opportunities for rules are coming faster than my ability to learn.
http://www.regular-expressions.info/tutorial.html
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If guns kill people, then...
-- pencils miss spel words.
-- cars make people drive drunk.
-- spoons make people fat.
-----------------------------------------------------------------------
Today: the 8th anniversary of 9/11
Re: URL rule creation question
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-09-11 at 15:09 -0400, Alex wrote:
> I'd like to create a rule that matches a specific letter and up to 5
> spaces after it, repeated ten times. I'm thinking something like this:
>
> /s\ {5}o\ {5}n\ {5}i\ {5}c\ {5}\ m\ {5}e\ {5}d\ {5}i\ {5}a/i
A space does not have any special meaning in REs. Don't escape it.
The quantifier {5} means *exactly* 5 occurrences. What you are after is
the {n,m} quantifier with an lower n and (optional) upper m bound. Thus,
to match at least one, and up to 5 occurrences: {1,5}
> I'm still learning regex's, so hopefully this isn't too far off. The
> opportunities for rules are coming faster than my ability to learn.
http://perldoc.perl.org/perlre.html
The reference. In particular, also do have a look at the perlrequick
Introduction and perlretut Tutorial referenced early in the Description
section.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: URL rule creation question
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Fri, 2009-09-11 at 15:09 -0400, MySQL Student wrote:
> Hi,
>
> > The 'doubleheadedrover' domain currently shows up in Razor(E8),
> > uribl_black, surbl_jp, and invaluement.
> >
> > But it wasn't in all of those when he first started posting about it.
>
> Yes, that's correct. Thanks for your help. That's already caught a
> few. I have another that I thought you could help with.
>
> I'd like to create a rule that matches a specific letter and up to 5
> spaces after it, repeated ten times.
unless you are using rawbody rules, multiple spaces are collapsed to
single spaces on the regularized body that rules are run against....
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
Re: URL rule creation question
Posted by MySQL Student <my...@gmail.com>.
Hi,
> The 'doubleheadedrover' domain currently shows up in Razor(E8),
> uribl_black, surbl_jp, and invaluement.
>
> But it wasn't in all of those when he first started posting about it.
Yes, that's correct. Thanks for your help. That's already caught a
few. I have another that I thought you could help with.
I'd like to create a rule that matches a specific letter and up to 5
spaces after it, repeated ten times. I'm thinking something like this:
/s\ {5}o\ {5}n\ {5}i\ {5}c\ {5}\ m\ {5}e\ {5}d\ {5}i\ {5}a/i
I'm still learning regex's, so hopefully this isn't too far off. The
opportunities for rules are coming faster than my ability to learn.
Thanks,
Alex
Re: URL rule creation question
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Fri, 2009-09-11 at 14:37 +0200, Matus UHLAR - fantomas wrote:
> On 10.09.09 18:28, MySQL Student wrote:
> > I've seen this pattern in spam quite a bit lately:
> >
> > href="http://EXAMPLE.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69
> > .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66.
> > 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO"
>
> what kind of URL/service is this? Isn't it worth to block this at all?
The 'doubleheadedrover' domain currently shows up in Razor(E8),
uribl_black, surbl_jp, and invaluement.
But it wasn't in all of those when he first started posting about it.
So he is looking for a way of identifying bad urls by examining the path
portion rather than the domain....
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
Re: URL rule creation question
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 10.09.09 18:28, MySQL Student wrote:
> I've seen this pattern in spam quite a bit lately:
>
> href="http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69
> .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66.
> 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO"
what kind of URL/service is this? Isn't it worth to block this at all?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them