You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by mouss <us...@free.fr> on 2005/06/13 17:15:27 UTC
yet another uribl evasion example
I just got the spam below (headers removed except few).
this hasn't been caught at reception time. It now triggers
RCVD_IN_BL_SPAMCOP_NET.
however, it doesn't trigger surbl checks, since the '&' is considered
as the end of the url.
debug: URIDNSBL: domains to query: ins.com nusv.com
and I was surprised that the following works:
# host "nusv.com&wnrsyaidip4elp2wjw0z1li.henogenyhb.com"
nusv.com&wnrsyaidip4elp2wjw0z1li.henogenyhb-MUNGED.com has address
221.11.133.42
would it be reasonable to add a rule to check for anomalies in URLs?
what's the best (TM) way?
another note is that the host (221.3.157.245) issues a helo of
mx.adelphia.net, but 221.3.157.245 is in China while mx.adelphia.net is
in US. shouldn't this trigger a forged helo? one can also see that the
from addr is in .il (let's ignore the msg id). that makes 3 distant
parts of the world:)
--------------- spam follows -----------------
...
Received: from unknown (HELO mx.adelphia.net) (221.3.157.245)
...
message-id: <01...@qhusls>
From: "Keeley Tate" <hw...@netvision.net.il>
To: <sa...@free.fr>
Subject: It isn't too good to be true. angelfish
When it comes to applications like MS Office, or Windows etc. they ask a
pretty penny. We figured,
scrap the manual, scrap the box, you really only need the CD so thats
what we did.
You can have the CD's sent to you, or download instead, your choice.
For downloading - Browse up
http://nusv.com&wnrsyaidip4elp2wjw0z1li.henogenyhb-MUNGED.com/
For shipped CD's - Browse up
http://ins.com&dwpw3ibhdwafswlbxe.henogenyhb-MUNGED.com/
You'll be shocked at our pricing.
Re: yet another uribl evasion example
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello mouss,
Monday, June 13, 2005, 8:15:27 AM, you wrote:
m> I just got the spam below (headers removed except few).
m> would it be reasonable to add a rule to check for anomalies in URLs?
m> what's the best (TM) way?
1) As has been suggested, upgrade.
2) Grab the SARE header rules file, which has rules for various types
of header obfuscation.
Note that those with 3.0.4 and the new header file get some
double-hits. We'll be running a new overlap analysis soon to get rid
of the duplicates.
Bob Menschel
Re: yet another uribl evasion example
Posted by Loren Wilton <lw...@earthlink.net>.
> would it be reasonable to add a rule to check for anomalies in URLs?
> what's the best (TM) way?
SARE, at least at the moment.
Loren
Re: yet another uribl evasion example
Posted by mouss <us...@free.fr>.
Theo Van Dinter wrote:
> On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote:
>
>>however, it doesn't trigger surbl checks, since the '&' is considered
>>as the end of the url.
>
>
> What version are you running? This was fixed in 3.0.4.
>
thanks for the reply. I am running 3.0.3. time to upgrade... (not in a
hurry though, very few spams get through...)
now, I am still thinking about the forged helo part. Is this fixed? and
if not, is there a way to "fix" it (without getting FPs)?
Re: yet another uribl evasion example
Posted by Bill Landry <bi...@pointshare.com>.
----- Original Message -----
From: "Michele Neylon:: Blacknight" <mi...@blacknight.ie>
> Niek wrote:
> > Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked
0.50,
> > you'll run into trouble. So either keep netdns @ 0.49 or upgrade to
0.51.
> > Upgrading is not needed for sa 3.0.4 afaik.
> >
> > Niek Baakman
> >
> 0.51 gives me the same problems :)
I just started following this thread, so I not quite sure what the issue is
with SA 3.0.4 and Net::DNS 0.51. I have been running both these since
Saturday, and all appears to be working fine here.
Bill
Re: yet another uribl evasion example
Posted by "Michele Neylon:: Blacknight" <mi...@blacknight.ie>.
Niek wrote:
> Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50,
> you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51.
> Upgrading is not needed for sa 3.0.4 afaik.
>
> Niek Baakman
>
0.51 gives me the same problems :)
Re: yet another uribl evasion example
Posted by Niek <ni...@asbak.coding-slaves.com>.
On 6/13/2005 9:42 PM +0200, wolfgang wrote:
> - 3.0.4 appears to bring new challenges (Net::DNS version and such)
Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50,
you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51.
Upgrading is not needed for sa 3.0.4 afaik.
Niek Baakman
Re: yet another uribl evasion example
Posted by Nix <ni...@esperi.org.uk>.
On Mon, 13 Jun 2005, Theo Van Dinter uttered the following:
> On Mon, Jun 13, 2005 at 09:42:35PM +0200, wolfgang wrote:
>> - 3.0.4 appears to bring new challenges (Net::DNS version and such)
>
> 3.0.4 should be a drop-in replacement for earlier versions. People seem
> to be having issues if they also upgrade Net::DNS, but there's no
> requirement to do so.
This doesn't seem to be invariably true: I've upgraded Net::DNS to 1.51
on this box (Perl 5.8.5, Linux 2.6.11) and had no problems whatsoever.
Passing strange...
--
`It's as bizarre an intrusion as, I don't know, the hobbits coming home
to find that the Shire has been taken over by gangsta rappers.'
Re: yet another uribl evasion example
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, Jun 13, 2005 at 09:42:35PM +0200, wolfgang wrote:
> - 3.0.4 appears to bring new challenges (Net::DNS version and such)
3.0.4 should be a drop-in replacement for earlier versions. People seem
to be having issues if they also upgrade Net::DNS, but there's no
requirement to do so.
3.0.4 fixes many bugs, some pretty important, so it's highly recommended to
update.
--
Randomly Generated Tagline:
I'm practicing assertiveness. Do you think that's okay?
Re: yet another uribl evasion example
Posted by wolfgang <me...@gmx.net>.
In an older episode (Monday 13 June 2005 21:20), Raymond Dijkxhoorn wrote:
> Any reason not wanting to upgrade to 3.0.4 ?
yes.
- our spamchecker machines' distributor is slow with upgrades while i can
patch existing 3.0.2 code on them.
- 3.0.4 appears to bring new challenges (Net::DNS version and such)
Re: yet another uribl evasion example
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote:
>>> however, it doesn't trigger surbl checks, since the '&' is considered
>>> as the end of the url.
>> What version are you running? This was fixed in 3.0.4.
>
> can the fix be applied to 3.0.3?
Any reason not wanting to upgrade to 3.0.4 ?
Bye,
Raymond.
Re: yet another uribl evasion example
Posted by wolfgang <me...@gmx.net>.
In an older episode (Monday 13 June 2005 18:10), Theo Van Dinter wrote:
> On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote:
> > however, it doesn't trigger surbl checks, since the '&' is considered
> > as the end of the url.
>
> What version are you running? This was fixed in 3.0.4.
can the fix be applied to 3.0.3?
cheers,
wolfgang
Re: yet another uribl evasion example
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote:
> however, it doesn't trigger surbl checks, since the '&' is considered
> as the end of the url.
What version are you running? This was fixed in 3.0.4.
--
Randomly Generated Tagline:
Farfignewton.. the cookie of the stars..