You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Christopher Nido <cm...@yahoo.com> on 2013/03/15 14:11:50 UTC
Hot News
http://www.naturalstonesinc.com/aah/pabfjd/pgrezs
Re: Hot News
Posted by Benny Pedersen <me...@junc.eu>.
Kevin A. McGrail skrev den 2013-03-15 14:18:
> It's a compromised Yahoo! account. One of the #1 spamming issues
> right now for us.
some more examples to the corpus ? :)
i dont see yahoo signed spam mails right here now, but clamav died last
night here, still waiting for update to be roled out in gentoo
Re: Hot News
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 3/15/2013 11:38 AM, Dave Funk wrote:
> On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
>
>> On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
>> On 15/03/2013 15:11, Christopher Nido wrote:
>>
>>
>> http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
>>
>>
>> Now this is a guy with "cahona's grande' " for spamming the
>> spamassassin list.
>>
>> Poor sucker.
>>
>>
>> It's a compromised Yahoo! account. One of the #1 spamming issues
>> right now for us.
>>
>> Regards,
>> KAM
>
> Not only a compromised Yahoo! account but also a compromised website so
> listing the URLs in some kind of RBL will be probelmatic for FPs.
Hence I used the accepted "-munged" addition to discuss the compromised
URL with safety.
Regards,
KAM
RE: Hot News
Posted by Rick Cooper <rc...@dwford.com>.
Dave Funk wrote:
> On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
>
>> On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
>> On 15/03/2013 15:11, Christopher Nido wrote:
>>
>>
>> http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
>>
>>
>> Now this is a guy with "cahona's grande' " for spamming the
>> spamassassin list.
>>
>> Poor sucker.
>>
>>
>> It's a compromised Yahoo! account. One of the #1 spamming issues
>> right now for us.
>>
>> Regards,
>> KAM
>
> Not only a compromised Yahoo! account but also a compromised website
> so listing the URLs in some kind of RBL will be probelmatic for FPs.
I wrote a custom plug-in to detect certain things about these messages that,
so far, have not resulted in any FPs (one would have to have a yahoo account
and make the message look just like the spams) and I have looked a some of
the messages caught and something I noticed in all, so far cases, is that if
you attempt to pull the link from wget without using a user agent string you
will get ERROR 405: Not Allowed every time, so far. I also find that there
are *several* common traits within the body of the web pages, for instance a
fox news copyright, specific class names and links names such as '<li><a
href="http--//www.buy-berryrasp.com/order.php">Home</a></li>' (remove the
--)
If anyone has a chance to verify this, especially the 404 without a
user-agent string I would think something could easily be done with a custom
plug-in to detect that. Oh, and they all do a 301 or 302 redirect at the
intial request
Rick
Re: Hot News
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2013-03-15 at 14:39 -0500, David B Funk wrote:
> The whole raison-detre for RBLs is that they're lists that can be
> implemented via the DNS system (created, updated, distributed, queried, etc).
> As such they can -only- contain IP addresses or hostnames, NOT URLs.
>
> So using something like SURBL or URIBL you can only list the host name
> part of that URL. If it's a legit site (albeit a compromised site)
> this will result in false-positives for normal mail that references the site.
>
... alternatively it would be reasonable to consider that the site
deserves to be blacklisted until its owner disinfects it. Telling its
webmaster that his site is infected would be a right neighbourly thing
to do too, especially if the site has a generally good reputation.
Martin
Re: URL and mail address RBL [was: Hot News]
Posted by Christian Recktenwald <sp...@citecs.de>.
On Wed, Mar 20, 2013 at 10:26:21AM +0000, Steve Freegard wrote:
> Listing e-mail addresses and URL paths could be done by normalizing them
yup
> (e.g. lower-case, stripping query parameters etc.)
Not necessarily - as I see there would be use cases for complete URLs
as well as for stripped ones, maybe even for the domain part only.
Further aspect: there are urls pointing clearly to spammy sites
and other ones (I see them often in 419's) pointing to
a completely legit page (say, an article to bbc.co.uk) used
for something like illustrational purposes only.
similar for email addresses - the domain part or the full address
may be of some value depending on the situation.
> and then hashing them
> (e.g. MD5/SHA1 etc) and listing the hash.
Good idea. Hashing should completely circumvent character issues.
> As you say though - the issue is collecting the data and populating the
> lists along and maintaining the rest of the infrastructure that serves it.
How about honeynet.org?
Re: Hot News
Posted by Steve Freegard <st...@fsl.com>.
On 16/03/13 00:04, Christian Recktenwald wrote:
> On Fri, Mar 15, 2013 at 02:39:17PM -0500, David B Funk wrote:
>> On Fri, 15 Mar 2013, Christian Recktenwald wrote:
>>
>>> On Fri, Mar 15, 2013 at 10:38:53AM -0500, Dave Funk wrote:
>>>> On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
>>>>
>>>>> On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
>>>>> On 15/03/2013 15:11, Christopher Nido wrote:
>>>>>
>>>>>
>>>>> http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
>>>
>>>> ... listing the URLs in some kind of RBL will be probelmatic for FPs.
>>>
>>> not really: The part 'aah/pabfjd/pgrezs' is most likely[tm] not
>>> used in normal operation of this site.
>>
>> The whole raison-detre for RBLs is that they're lists that can be
>> implemented via the DNS system (created, updated, distributed, queried,
>> etc).
>> As such they can -only- contain IP addresses or hostnames, NOT URLs.
>
> that's not exactly right. I've been distributing other data via
> DNS for quite some years now like temperature[1], OUIs (mac addresses prefixes)[2]
> and originating time stamps[3] just to name some.
>
> For demonstration purposes please just try:
> dig +short txt http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs.url.rbl.citecs.de.
> you would get
> "1363389581"
> which is the epoch timestamp[3] the entry was created.
>
> Why does this work? It's because it uses TXT records, not A or PTR
> records. Maybe there would be some funny characters I did not think of
> right now - then, some quoting would help.
>
> Creating another rbl providing compromized email addresses would be the
> same thing.
>
The issue isn't A .vs. TXT - it's that certain characters aren't allowed
in DNS names.
Listing e-mail addresses and URL paths could be done by normalizing them
(e.g. lower-case, stripping query parameters etc.) and then hashing them
(e.g. MD5/SHA1 etc) and listing the hash.
As you say though - the issue is collecting the data and populating the
lists along and maintaining the rest of the infrastructure that serves it.
Regards,
Steve.
Re: Hot News
Posted by Christian Recktenwald <sp...@citecs.de>.
On Fri, Mar 15, 2013 at 02:39:17PM -0500, David B Funk wrote:
> On Fri, 15 Mar 2013, Christian Recktenwald wrote:
>
> >On Fri, Mar 15, 2013 at 10:38:53AM -0500, Dave Funk wrote:
> >>On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
> >>
> >>>On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
> >>> On 15/03/2013 15:11, Christopher Nido wrote:
> >>>
> >>>
> >>>http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
> >
> >>... listing the URLs in some kind of RBL will be probelmatic for FPs.
> >
> >not really: The part 'aah/pabfjd/pgrezs' is most likely[tm] not
> >used in normal operation of this site.
>
> The whole raison-detre for RBLs is that they're lists that can be
> implemented via the DNS system (created, updated, distributed, queried,
> etc).
> As such they can -only- contain IP addresses or hostnames, NOT URLs.
that's not exactly right. I've been distributing other data via
DNS for quite some years now like temperature[1], OUIs (mac addresses prefixes)[2]
and originating time stamps[3] just to name some.
For demonstration purposes please just try:
dig +short txt http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs.url.rbl.citecs.de.
you would get
"1363389581"
which is the epoch timestamp[3] the entry was created.
Why does this work? It's because it uses TXT records, not A or PTR
records. Maybe there would be some funny characters I did not think of
right now - then, some quoting would help.
Creating another rbl providing compromized email addresses would be the
same thing.
So, this was the easy part.
More challenging (at least to me): where would one collect the data to
constantly feed this lists? Some kind of honeypot or something?
[1] dig +short txt janus.temp.citecs.de
This is the actual outside temperature near where I live, updated
every minute.
[2] dig +short txt 00:00:00.eth.citecs.de.
[3] So, there's an additional benefit to publish the timestamp the entry
was created: the one using the rbl may decide by herself how old
entries they wish to rely on - some feature most other rbls don't provide.
If there are reasonable suggestions I could provide a DNS with dynamic
updating for a test or even production if it turns out to work.
Re: Hot News
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 15 Mar 2013, Christian Recktenwald wrote:
> On Fri, Mar 15, 2013 at 10:38:53AM -0500, Dave Funk wrote:
>> On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
>>
>>> On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
>>> On 15/03/2013 15:11, Christopher Nido wrote:
>>>
>>>
>>> http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
>
>> ... listing the URLs in some kind of RBL will be probelmatic for FPs.
>
> not really: The part 'aah/pabfjd/pgrezs' is most likely[tm] not
> used in normal operation of this site.
The whole raison-detre for RBLs is that they're lists that can be
implemented via the DNS system (created, updated, distributed, queried, etc).
As such they can -only- contain IP addresses or hostnames, NOT URLs.
So using something like SURBL or URIBL you can only list the host name
part of that URL. If it's a legit site (albeit a compromised site)
this will result in false-positives for normal mail that references the site.
It would be possible to create explicit SA rules to hit the full URLs but
that becomes a whack-a-mole proposition and more resource intensive than
just dropping a new entry in a RBL master zone file.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Hot News
Posted by Christian Recktenwald <sp...@citecs.de>.
On Fri, Mar 15, 2013 at 10:38:53AM -0500, Dave Funk wrote:
> On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
>
> >On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
> > On 15/03/2013 15:11, Christopher Nido wrote:
> >
> >
> >http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
> ... listing the URLs in some kind of RBL will be probelmatic for FPs.
not really: The part 'aah/pabfjd/pgrezs' is most likely[tm] not
used in normal operation of this site.
Re: Hot News
Posted by Dave Funk <db...@engineering.uiowa.edu>.
On Fri, 15 Mar 2013, Kevin A. McGrail wrote:
> On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
> On 15/03/2013 15:11, Christopher Nido wrote:
>
>
> http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
>
>
> Now this is a guy with "cahona's grande' " for spamming the spamassassin list.
>
> Poor sucker.
>
>
> It's a compromised Yahoo! account. One of the #1 spamming issues right now for us.
>
> Regards,
> KAM
Not only a compromised Yahoo! account but also a compromised website so
listing the URLs in some kind of RBL will be probelmatic for FPs.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Hot News
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 3/15/2013 9:17 AM, Tom Kinghorn wrote:
> On 15/03/2013 15:11, Christopher Nido wrote:
>>
>>
>> http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs
>> <http://www.naturalstonesinc.com/aah/pabfjd/pgrezs>
>
> Now this is a guy with "cahona's grande' " for spamming the
> spamassassin list.
>
> Poor sucker.
It's a compromised Yahoo! account. One of the #1 spamming issues right
now for us.
Regards,
KAM
Re: Hot News
Posted by Benny Pedersen <me...@junc.eu>.
Tom Kinghorn skrev den 2013-03-15 14:17:
> Poor sucker.
and unknown url in uribl hmm
maybe "sa-learn --spam msg" does care :)
Re: Hot News
Posted by Tom Kinghorn <th...@gmail.com>.
On 15/03/2013 15:11, Christopher Nido wrote:
>
>
> http://www.naturalstonesinc.com/aah/pabfjd/pgrezs
Now this is a guy with "cahona's grande' " for spamming the spamassassin
list.
Poor sucker.