You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matt Thoene <ma...@remedyx.com> on 2005/04/12 20:30:20 UTC

Arithmetic score for replaced O's and I's?

Does anyone have a good custom arithmetic score for spam that has a
whole bunch of o's and l's replaced with zeros and "|"? Example of
part of an l replacement spam body below...

Yap International, Inc.(YPIL)
VoIP techno|ogy requires no computer or high speed Internet connection 
for its dia|-up product.
Current Price: $ 0.15
Watch This Stock Tuesday Some of These Little VOIP Stocks Have Been 
Rea|ly Moving Lately.

-- 
Regards,
 Matt                         


Re[2]: Arithmetic score for replaced O's and I's?

Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Keith,

Tuesday, April 12, 2005, 6:10:38 PM, you wrote:

KI> Robert Menschel wrote:

>> The question is how intelligent do you want to make the rule(s).  If
>> you want something like 
>> 
>> body  L_PIPE  m'\w\w\|\w\w'
>> body  L_ZER0  m'\w\w0\w\w'
>> body  L_VEEE  m'\\/\w'
>> body  L_AAAA  m'\w/\\\w'
>> body  L_LONE  m'\w\w1\w\w'
>> meta  L_OBFU2  L_PIPE + L_ZERO + L_VEEE + L_AAAA + L_LONE > 1

KI> Remember that \w matches letters, numbers, and underscores, so 
KI> you'll probably want to use something like [a-z] or [A-Za-z] (or 
KI> [a-z] with a /i modifier at the end of the regex) instead. 
KI> Otherwise you'll wind up triggering on perfect ordinary numbers. 
KI>   Even with [a-z], I'd expect a fair number of false positives.

Definitely.  I considered that with L_PIPE, and figured that was OK.
Then since I wasn't doing real rules anyway, but just an example, I
got lazy and used the \w for the other rules as well, even though
\w\w0\w\w would match 10000.

Bob Menschel




Re: Arithmetic score for replaced O's and I's?

Posted by Keith Ivey <kc...@cpcug.org>.
Robert Menschel wrote:

> The question is how intelligent do you want to make the rule(s).  If
> you want something like 
> 
> body  L_PIPE  m'\w\w\|\w\w'
> body  L_ZER0  m'\w\w0\w\w'
> body  L_VEEE  m'\\/\w'
> body  L_AAAA  m'\w/\\\w'
> body  L_LONE  m'\w\w1\w\w'
> meta  L_OBFU2  L_PIPE + L_ZERO + L_VEEE + L_AAAA + L_LONE > 1

Remember that \w matches letters, numbers, and underscores, so 
you'll probably want to use something like [a-z] or [A-Za-z] (or 
[a-z] with a /i modifier at the end of the regex) instead. 
Otherwise you'll wind up triggering on perfect ordinary numbers. 
  Even with [a-z], I'd expect a fair number of false positives.

-- 
Keith C. Ivey <kc...@cpcug.org>
Washington, DC

Re: Re[4]: Arithmetic score for replaced O's and I's?

Posted by wolfgang <me...@gmx.net>.
In an older episode (Friday 15 April 2005 03:57), Gene Heskett wrote:

> Stupid Q:  As I don't have a 'stock.cf' file in the config dir now, 
> how do I add this to the ammo box?  I have moved it into that config 
> dir, is that sufficient?

it is sufficient if you run the spamassassin executable.
with spamd you would have to restart spamd to load the new config file.




Re: Re[4]: Arithmetic score for replaced O's and I's?

Posted by Gene Heskett <ge...@verizon.net>.
On Thursday 14 April 2005 21:08, wolfgang wrote:
>i attach a set of rules i have been using and improving for a while
> that handle stock spam, especially the || stuff.

Stupid Q:  As I don't have a 'stock.cf' file in the config dir now, 
how do I add this to the ammo box?  I have moved it into that config 
dir, is that sufficient?

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.34% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.

Re: Re[4]: Arithmetic score for replaced O's and I's?

Posted by wolfgang <me...@gmx.net>.
i attach a set of rules i have been using and improving for a while that 
handle stock spam, especially the || stuff.


Re: Arithmetic score for replaced O's and I's?

Posted by Jim Maul <jm...@elih.org>.
Robert Menschel wrote:
> Hello mewolf1,
> 
> Tuesday, April 12, 2005, 6:37:15 PM, you wrote:
> 
> mgn> In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote:
> 
>>>Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted 0bfusc@ti0ns, and
>>>I'|| f1nd a 600D horme 4 them...
>>>
>>>(Not the entire spam emails, please -- just the obfuscations.)
> 
> 
> mgn> Robert, I just sent you obfuscations privately off list, is that
> mgn> what you meant?
> 
> Perfect.  I built rules for them last night and mass-checked them this
> morning. I'll run a few passes to refine them, then have other SARE
> ninja's mass-check to get broader results, and then we'll fine tune
> for performance, and hopefully have something published before end of
> month.
> 
> Other contributions more than welcome.
> 
> Bob Menschel
> 
> 
> 

Something that tries to catch those weird table obfuscations would be 
great ;)  Something like i posted a while back in the "Extra Sare rules 
for meds" thread.  I dont know if this is possible or not but...

-Jim

Re[4]: Arithmetic score for replaced O's and I's?

Posted by Robert Menschel <Ro...@Menschel.net>.
Hello mewolf1,

Tuesday, April 12, 2005, 6:37:15 PM, you wrote:

mgn> In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote:
>> Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted 0bfusc@ti0ns, and
>> I'|| f1nd a 600D horme 4 them...
>> 
>> (Not the entire spam emails, please -- just the obfuscations.)

mgn> Robert, I just sent you obfuscations privately off list, is that
mgn> what you meant?

Perfect.  I built rules for them last night and mass-checked them this
morning. I'll run a few passes to refine them, then have other SARE
ninja's mass-check to get broader results, and then we'll fine tune
for performance, and hopefully have something published before end of
month.

Other contributions more than welcome.

Bob Menschel




Re: Re[2]: Arithmetic score for replaced O's and I's?

Posted by me...@gmx.net.
Sorry, for some reason Kmail shows the text in my 2 previous mails only when 
viewing the message source, some MIME problem apparently. So once more:

In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote:

> Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted 0bfusc@ti0ns, and I'|| 
f1nd
> a 600D horme 4 them...
> 
> (Not the entire spam emails, please -- just the obfuscations.)

Robert, I just sent you obfuscations privately off list, is that what you 
meant?

regards


Re[2]: Arithmetic score for replaced O's and I's?

Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Matt,

Tuesday, April 12, 2005, 12:08:01 PM, you wrote:

MT> On Tuesday, April 12, 2005 @ 11:42:37 AM [-0700], Chris Conn wrote:

>> Hello,

>> I believe I asked for this a few days ago and was told that I would need
>> to write a plugin to do this =)

MT> Hmmm...shouldn't have to. I know the basic layout of what it should
MT> look like, I just suck at regex. It should be similar to below...

MT> body CHECK_1      (SOME REGEX I DON'T KNOW1)
MT> body CHECK_2      (SOME REGEX I DON'T KNOW2)
MT> body CHECK_3      (SOME REGEX I DON'T KNOW3)
MT> meta LOCAL_MULTIPLE_TESTS (( CHECK_1 + CHECK_2 + CHECK_3) > 3)
MT> score LOCAL_MULTIPLE_TESTS 10

MT> Am I close?

Close.  But you can't get >3 in three rules.

The question is how intelligent do you want to make the rule(s).  If
you want something like 

body  L_PIPE  m'\w\w\|\w\w'
body  L_ZER0  m'\w\w0\w\w'
body  L_VEEE  m'\\/\w'
body  L_AAAA  m'\w/\\\w'
body  L_LONE  m'\w\w1\w\w'
meta  L_OBFU2  L_PIPE + L_ZERO + L_VEEE + L_AAAA + L_LONE > 1

That's easy.  But it might be dangerous.

I'm working on a SARE rule set to test safely for these types of
obfuscations.  Should be done and ready for distribution by end of
month.

Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted 0bfusc@ti0ns, and I'|| f1nd
a 600D horme 4 them...

(Not the entire spam emails, please -- just the obfuscations.)

Bob Menschel




Re: Arithmetic score for replaced O's and I's?

Posted by Loren Wilton <lw...@earthlink.net>.
> > I believe I asked for this a few days ago and was told that I would need
> > to write a plugin to do this =)
>
> Hmmm...shouldn't have to. I know the basic layout of what it should
> look like, I just suck at regex. It should be similar to below...
>
> body CHECK_1      (SOME REGEX I DON'T KNOW1)
> body CHECK_2      (SOME REGEX I DON'T KNOW2)
> body CHECK_3      (SOME REGEX I DON'T KNOW3)
> meta LOCAL_MULTIPLE_TESTS (( CHECK_1 + CHECK_2 + CHECK_3) > 3)
> score LOCAL_MULTIPLE_TESTS 10
>
> Am I close?

Close, but in this case no cigar.

The basic concept is right, but there wouldn't be any good way* to write the
re's necessary for the OP's particular case.

        Loren

* There are a number of BAD ways to write such rules for this case.  Most of
them tend to involve unbounded asterisks, and might in a bad case take maybe
half an hour to 45 minutes to finish running on a pathelogical case of a
spam.


Re: Arithmetic score for replaced O's and I's?

Posted by Matt Thoene <ma...@remedyx.com>.
On Tuesday, April 12, 2005 @ 11:42:37 AM [-0700], Chris Conn wrote:

> Hello,

> I believe I asked for this a few days ago and was told that I would need
> to write a plugin to do this =)

Hmmm...shouldn't have to. I know the basic layout of what it should
look like, I just suck at regex. It should be similar to below...

body CHECK_1      (SOME REGEX I DON'T KNOW1)
body CHECK_2      (SOME REGEX I DON'T KNOW2)
body CHECK_3      (SOME REGEX I DON'T KNOW3)
meta LOCAL_MULTIPLE_TESTS (( CHECK_1 + CHECK_2 + CHECK_3) > 3)
score LOCAL_MULTIPLE_TESTS 10

Am I close?

-- 
Matt                       


Re: Arithmetic score for replaced O's and I's?

Posted by Matt Thoene <ma...@remedyx.com>.
On Tuesday, April 12, 2005 @ 12:14:02 PM [-0700], Theo Van Dinter wrote:

> On Tue, Apr 12, 2005 at 03:10:19PM -0400, Jim Maul wrote:
>> Sort of.  You wanted to count them,  while it sounds as if this poster
>> just wants to detect them.  There is a big difference there.

> BTW: detecting them accurately is actually pretty difficult depending
> on what kind of mails you get.

> FYI: 3.1 is going to have semi-generic obfuscation support that will
> look for certain words being obfuscated (you can trivially add your
> own words as new rules...)  There's 2 versions right now that are being
> merged down into 1 for the release. :)

Great! Thanks.

> Randomly Generated Tagline:
> Futurama is brought to you by Thompson's Teeth, the
> only teeth strong enough to eat other teeth.

And the above sent a diet coke through my nose. Classic.

-- 
Matt                       


Re: Arithmetic score for replaced O's and I's?

Posted by Theo Van Dinter <fe...@kluge.net>.
On Tue, Apr 12, 2005 at 03:10:19PM -0400, Jim Maul wrote:
> Sort of.  You wanted to count them,  while it sounds as if this poster 
> just wants to detect them.  There is a big difference there.

BTW: detecting them accurately is actually pretty difficult depending
on what kind of mails you get.

FYI: 3.1 is going to have semi-generic obfuscation support that will
look for certain words being obfuscated (you can trivially add your
own words as new rules...)  There's 2 versions right now that are being
merged down into 1 for the release. :)

-- 
Randomly Generated Tagline:
Futurama is brought to you by Thompson's Teeth, the 
 only teeth strong enough to eat other teeth.

Re: Arithmetic score for replaced O's and I's?

Posted by Jim Maul <jm...@elih.org>.
Chris Conn wrote:
> 
> 
> Matt Thoene wrote:
> 
>> Does anyone have a good custom arithmetic score for spam that has a
>> whole bunch of o's and l's replaced with zeros and "|"? Example of
>> part of an l replacement spam body below...
>>
>> Yap International, Inc.(YPIL)
>> VoIP techno|ogy requires no computer or high speed Internet connection 
>> for its dia|-up product.
>> Current Price: $ 0.15
>> Watch This Stock Tuesday Some of These Little VOIP Stocks Have Been 
>> Rea|ly Moving Lately.
>>
> 
> Hello,
> 
> I believe I asked for this a few days ago and was told that I would need 
> to write a plugin to do this =)
> 
> 

Sort of.  You wanted to count them,  while it sounds as if this poster 
just wants to detect them.  There is a big difference there.

-Jim

Re: Arithmetic score for replaced O's and I's?

Posted by Chris Conn <cc...@abacom.com>.

Matt Thoene wrote:
> Does anyone have a good custom arithmetic score for spam that has a
> whole bunch of o's and l's replaced with zeros and "|"? Example of
> part of an l replacement spam body below...
> 
> Yap International, Inc.(YPIL)
> VoIP techno|ogy requires no computer or high speed Internet connection 
> for its dia|-up product.
> Current Price: $ 0.15
> Watch This Stock Tuesday Some of These Little VOIP Stocks Have Been 
> Rea|ly Moving Lately.
> 

Hello,

I believe I asked for this a few days ago and was told that I would need 
to write a plugin to do this =)

Chris