You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Rejaine Monteiro <re...@bhz.jamef.com.br> on 2009/01/21 11:58:21 UTC

Make a rule to block fake url to pdf files...

How can I make a rule to block fake links to pdf files, like this?

<cut>
 
<a target="_blank" 
href="http://knut.kumoh.ac.kr/~dojamo/zero/log/attachs.php?id=HU#9123IF">PRICES.pdf</a> 

<a adepth="0" aidx="0" 
href="http://knut.kumoh.ac.kr/~dojamo/zero/log/anexos.php?id=GF#590KI">(106,5KB)</a></p>

<cut>

The email tries to deceive usesr, bypassing  for an attached file.

Re: Make a rule to block fake url to pdf files...

Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.

'dojamo' was just a simple example..
of course, many others different links or names files and urls are used

Benny Pedersen escreveu:
> On Wed, January 21, 2009 11:58, Rejaine Monteiro wrote:
>   
>> How can I make a rule to block fake links to pdf files, like this?
>> <cut>
>> <a adepth="0" aidx="0"
>> href="http://knut.kumoh.ac.kr/~dojamo/zero/log/anexos.php?id=GF#590KI">(106,5KB)</a></p>
>> <cut>
>> The email tries to deceive usesr, bypassing  for an attached file.
>>     
>
> rawbody FAKEUSER /~dojamo/i
> describe FAKEUSER logs newer lie
> score FAKEUSER 0.1
>
>

Re: Make a rule to block fake url to pdf files...

Posted by Benny Pedersen <me...@junc.org>.

On Wed, January 21, 2009 11:58, Rejaine Monteiro wrote:
> How can I make a rule to block fake links to pdf files, like this?
> <cut>
> <a adepth="0" aidx="0"
> href="http://knut.kumoh.ac.kr/~dojamo/zero/log/anexos.php?id=GF#590KI">(106,5KB)</a></p>
> <cut>
> The email tries to deceive usesr, bypassing  for an attached file.

rawbody FAKEUSER /~dojamo/i
describe FAKEUSER logs newer lie
score FAKEUSER 0.1

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: Make a rule to block fake url to pdf files...

Posted by mouss <mo...@ml.netoyen.net>.

Rejaine Monteiro a écrit :
> 
> Here are two samples attached..
> (some informations are changed)


please don't forward spam to the list (they poison learning filters,
they may be blocked/discarded, ... etc).

instead, put unaltered full samples on a web page, for example on
pastebin.com. to get a full sample, use the "view source" option in your
thunderbird.

Re: Make a rule to block fake url to pdf files...

Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.

Here are two samples attached..
(some informations are changed)

John Wilcock escreveu:
>
> Perhaps if you posted a few *complete* samples with *full headers*, 
> others could see which rules are hit and suggest improvements...
>
> John.
>

Re: Make a rule to block fake url to pdf files...

Posted by Kai Schaetzl <ma...@conactive.com>.

John Wilcock wrote on Wed, 21 Jan 2009 17:52:46 +0100:

> Perhaps if you posted a few *complete* samples with *full headers*, 
> others could see which rules are hit and suggest improvements...

but please to a pastebin or so!

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Make a rule to block fake url to pdf files...

Posted by John Wilcock <jo...@tradoc.fr>.

Le 21/01/2009 17:41, Rejaine Monteiro a écrit :
> But, I'm receive a *lot* of spam like this... (another case abelow) and
> I don't no how stop this ...

Perhaps if you posted a few *complete* samples with *full headers*, 
others could see which rules are hit and suggest improvements...

John.

-- 
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr

Re: Make a rule to block fake url to pdf files...

Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.

I  have experience with spamassassin and I write many others rules by 
myself..
(my english can be poor, but i'm not stupid...)

Thank you for help....

Kai Schaetzl escreveu:
> You don't, I think. You asked "how can I make a rule ...". I gave you some 
> hints which matches you could use for good rules. 
> However, I think now what you wanted to ask is "I want some ready-made 
> rules that hit on this spam". Is that correct?
>
> Kai
>
>

Re: Make a rule to block fake url to pdf files...

Posted by Kai Schaetzl <ma...@conactive.com>.

Rejaine Monteiro wrote on Wed, 21 Jan 2009 14:41:08 -0200:

> Yes , I'm understanding what you saying

You don't, I think. You asked "how can I make a rule ...". I gave you some 
hints which matches you could use for good rules. 
However, I think now what you wanted to ask is "I want some ready-made 
rules that hit on this spam". Is that correct?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Make a rule to block fake url to pdf files...

Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.

Yes , I'm understanding what you saying and also understand the 
implications of FPs

But, I'm receive a *lot* of spam like this... (another case abelow) and 
I don't no how stop this ...
 
(sorry , my english is very poor)

<snip>

<DIV><FONT face=3DArial></FONT></DIV><SPAN><A href=3D"http://7g5emg.blu.liv=
efilestore.com/y1pcQCMDJb4PY_kjFJywVsV-OkV-UUYFWGpuXf2GvwbZluUwC2T9DSV38GU1=
AywjI2YcphhAE0eVHnbryJZTrMfcQ/curriculos26.zip?download" target=3D_blank><F=
ONT 
face=3DArial>Curriculum...doc</FONT></A><FONTFACE=3DARIAL>&nbsp=3B<SPAN>=
<FONTCOLOR=3D#C0C0C0>(57=2C8kb)</FONT></SPAN></FONT></SPAN></DIV>
<DIV><FONT face=3DArial>

<snip>

Kai Schaetzl escreveu:
> Rejaine Monteiro wrote on Wed, 21 Jan 2009 08:58:21 -0200:
>
>   
>> <a target="_blank" 
>> href="http://knut.kumoh.ac.kr/~dojamo/zero/log/attachs.php?id=HU#9123IF">PRICES.pdf</a> 
>>     
>
> use a regexp that matches "NOT .pdf" at the end of the hyperlink and ".pdf" in the
> link text.
>
>
>   
>> <a adepth="0" aidx="0" 
>> href="http://knut.kumoh.ac.kr/~dojamo/zero/log/anexos.php?id=GF#590KI">(106,5KB)</a></p>
>>     
>
> Match against ( or , in link text.
>
> Also, you can take advantage of "specialties" in these mails like
>
> target="_blank"
> adepth
> aidx
> ~ (user homedir symbol)
>
> I think you would want to score these with 1 or so and not outright "block" (e.g.
> score with 5) as they may produce FPs.
>
> Kai
>
>

Re: Make a rule to block fake url to pdf files...

Posted by Kai Schaetzl <ma...@conactive.com>.

Rejaine Monteiro wrote on Wed, 21 Jan 2009 08:58:21 -0200:

> <a target="_blank" 
> href="http://knut.kumoh.ac.kr/~dojamo/zero/log/attachs.php?id=HU#9123IF">PRICES.pdf</a> 

use a regexp that matches "NOT .pdf" at the end of the hyperlink and ".pdf" in the
link text.


> <a adepth="0" aidx="0" 
> href="http://knut.kumoh.ac.kr/~dojamo/zero/log/anexos.php?id=GF#590KI">(106,5KB)</a></p>

Match against ( or , in link text.

Also, you can take advantage of "specialties" in these mails like

target="_blank"
adepth
aidx
~ (user homedir symbol)

I think you would want to score these with 1 or so and not outright "block" (e.g.
score with 5) as they may produce FPs.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Make a rule to block fake url to pdf files...

Posted by John Wilcock <jo...@tradoc.fr>.

Le 21/01/2009 14:23, Rejaine Monteiro a écrit :
> the text suggests a  link to a pdf file, but in the truth it is not.

In this specific case perhaps, but there's absolutely nothing to stop a 
legitimate php script (or any other URL for that matter) generating a 
legitimate PDF file. The only way to tell for sure is to visit the URL.

Notwithstanding, a spamassassin rule to detect the pattern *might* still 
be a worthwhile spam sign. Just don't score it too high, as it could 
also hit legitimate mail.

John.

-- 
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr

Re: Make a rule to block fake url to pdf files...

Posted by Kai Schaetzl <ma...@conactive.com>.

Rejaine Monteiro wrote on Wed, 21 Jan 2009 11:23:33 -0200:

> the text suggests a  link to a pdf file, but in the truth it is not.

But you know this only afterwards. This may be true for all your cases and 
worthwhile to block, but it may produce FPs in general. I think that's 
what Kenneth wanted to express.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Make a rule to block fake url to pdf files...

Posted by Rejaine Monteiro <re...@bhz.jamef.com.br>.

the text suggests a  link to a pdf file, but in the truth it is not.

Kenneth Porter escreveu:
>
> How do you *know* that the email is trying to deceive the user? 
> Legitimate email might have the same pattern of one name in the link 
> and another in the visible text. There's nothing in the text you 
> posted to suggest that there is malicious intent.
>
>

Re: Make a rule to block fake url to pdf files...

Posted by Kenneth Porter <sh...@sewingwitch.com>.

--On Wednesday, January 21, 2009 8:58 AM -0200 Rejaine Monteiro 
<re...@bhz.jamef.com.br> wrote:

> The email tries to deceive usesr

How do you *know* that the email is trying to deceive the user? Legitimate 
email might have the same pattern of one name in the link and another in 
the visible text. There's nothing in the text you posted to suggest that 
there is malicious intent.