You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ilan Aisic <ia...@gmail.com> on 2005/08/27 15:49:03 UTC
SURBL Redirection Problem
This is a sniplet from spam content I got:
<A href="http://chietaphi.com/catalog/redirect.php?action=url&goto=www.vxneev.moonboard.info/?100aa983aGd9080f4c0bfF3c1362f8e1">Just
VISlT EPharmaccy-By</A>
It did not trigger any of the URI rules even though moonboard.info is
listed in all the places.
They have exploited a redirector script on chietaphi.com which looks legit.
I think it should not be hard to improve the SA plugin for URI
(check_dnsbl) to also check something as obvious as this redirection.
Perhaps it can be done with a second call after parseing the string
followiong the domain name and realizing it contains a URI.
--
Ilan Aisic
Registered Linux User 8124 http://counter.li.org
Re: SURBL Redirection Problem
Posted by Ilan Aisic <ia...@gmail.com>.
I'm attaching the original spam message as is (in Outlook .msg format).
You'll be able to see my SA full report in the headers.
I don't think it would matter much because in my posting here I put
the original HTML HREF tag that includes the URI that should be
caught.
On 8/29/05, Craig McLean <cr...@craig.dnsalias.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Daryl C. W. O'Shea wrote:
> | Craig McLean wrote:
> |
> |> -----BEGIN PGP SIGNED MESSAGE-----
> |> Hash: SHA1
> |>
> |> 3.1.0-rc1 nailed it to the wall.
> |>
> |> Craig.
> | <...>
> |> domain
> |> | 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
> |> blocklist
> |> | [URIs: moonboard.info]
> |
> | Did you detect that with a redirector_pattern? I don't see that
> | detected with a stock 3.1.0-rc1 here (no hint of it when SA is run with
> | -Duri).
>
> This is stock 3.1.0-rc1 with some of the SARE rulesets. If you let me
> have the original message you got (munged headers if necessary) I'll try
> running the whole thing through, see what hits.
>
> Craig.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFDEvQiMDDagS2VwJ4RAjcTAKCkSBWvq48UJFbeUFI91T0ViUPvDwCfSWLT
> M3yHQKY/7aLNhTYtIKyjN/M=
> =AbUr
> -----END PGP SIGNATURE-----
>
--
Ilan Aisic
Registered Linux User 8124 http://counter.li.org
Re: SURBL Redirection Problem
Posted by Craig McLean <cr...@craig.dnsalias.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daryl C. W. O'Shea wrote:
| Craig McLean wrote:
|
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> 3.1.0-rc1 nailed it to the wall.
|>
|> Craig.
| <...>
|> domain
|> | 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
|> blocklist
|> | [URIs: moonboard.info]
|
| Did you detect that with a redirector_pattern? I don't see that
| detected with a stock 3.1.0-rc1 here (no hint of it when SA is run with
| -Duri).
This is stock 3.1.0-rc1 with some of the SARE rulesets. If you let me
have the original message you got (munged headers if necessary) I'll try
running the whole thing through, see what hits.
Craig.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDEvQiMDDagS2VwJ4RAjcTAKCkSBWvq48UJFbeUFI91T0ViUPvDwCfSWLT
M3yHQKY/7aLNhTYtIKyjN/M=
=AbUr
-----END PGP SIGNATURE-----
Re: SURBL Redirection Problem
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Craig McLean wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> 3.1.0-rc1 nailed it to the wall.
>
> Craig.
<...>
> domain
> | 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
> blocklist
> | [URIs: moonboard.info]
Did you detect that with a redirector_pattern? I don't see that
detected with a stock 3.1.0-rc1 here (no hint of it when SA is run with
-Duri).
Daryl
Re: SURBL Redirection Problem
Posted by Craig McLean <cr...@craig.dnsalias.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
3.1.0-rc1 nailed it to the wall.
Craig.
Ilan Aisic wrote:
|
| pts rule name description
| ---- ----------------------
- --------------------------------------------------
| 0.9 RCVD_BY_IP Received by mail server with no name
| -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
| -0.0 DK_VERIFIED Domain Keys: signature passes verification
| 0.0 DK_SIGNED Domain Keys: message has an unverified
signature
| 3.2 FUZZY_PHARMACY BODY: Attempt to obfuscate words in spam
| 1.3 INFO_TLD URI: Contains an URL in the INFO top-level
domain
| 1.0 LOCAL_INFO_TLD URI: Contains an URL in the INFO top-level
domain
| 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
| [URIs: moonboard.info]
| 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
| [URIs: moonboard.info]
| 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
blocklist
| [URIs: moonboard.info]
| 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist
| [URIs: moonboard.info]
| 2.0 URIBL_XS_SURBL Has URI in XS - Testing
| [URIs: moonboard.info]
| 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
| [URIs: moonboard.info]
| 3.0 URIBL_SC2_SURBL Has URI in SC2 at
http://www.surbl.org/lists.html
| [URIs: moonboard.info]
| 1.7 SARE_OBFU_VISIT2 found apparent obfuscation of word used in
spam
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDEOEtMDDagS2VwJ4RAvTNAJ4j7+6v+Dj/j+JrmE7iwVC5dTLHWwCgtikJ
6x0dpPWA8KhAvFRbH/5yE3k=
=hs1n
-----END PGP SIGNATURE-----
Re: SURBL Redirection Problem
Posted by Loren Wilton <lw...@earthlink.net>.
Perhaps changing the uri check would be a short-term fix. There is a
redirector pattern detector in SA which would be the right thing to fix.
Loren