You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Joseph Brennan <br...@columbia.edu> on 2009/10/05 17:06:19 UTC
Babelfish obfuscation
>>From spam today:
<a
href="http://66.196.80.202/babelfish/translate_url_content?.intl=us&lp=es_en&trurl=http://johnnie2006.mcafaloj%2E%63%6E"
style="text-decoration: none; color: #0099ff;">click here</a>
Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
then %2E%63%6E for .cn
Joseph Brennan
Columbia University Information Technology
Re: Babelfish obfuscation
Posted by John Hardin <jh...@impsec.org>.
On Mon, 5 Oct 2009, Karsten Br�ckelmann wrote:
> On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote:
>> On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote
>
>>> Without checking -- I believe, all you need is a redirector_pattern for
>>> the IP redirector, to extract the target URI. The list of URIs should
>>> also contain a cleaned version of the extracted target URI, with the
>>> escapes converted.
>>
>> i have had this in mind for so long with alot of spam on yahoo, but
>> dont know how to make that work :/
>
> redirector_pattern m~http://example.net/redir?uri=(target)~
Tested:
redirector_pattern m;^https?://[^/]+/babelfish/.*\?.*url=(http:.+)$;
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The question of whether people should be allowed to harm themselves
is simple. They *must*. -- Charles Murray
-----------------------------------------------------------------------
Approximately 9194940 firearms legally purchased in the U.S. this year
Re: Babelfish obfuscation
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote:
> On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote
> > Without checking -- I believe, all you need is a redirector_pattern for
> > the IP redirector, to extract the target URI. The list of URIs should
> > also contain a cleaned version of the extracted target URI, with the
> > escapes converted.
>
> i have had this in mind for so long with alot of spam on yahoo, but
> dont know how to make that work :/
redirector_pattern m~http://example.net/redir?uri=(target)~
^^^^^^^^
The redirector_pattern pretty much is a simple uri rule. With one
notable difference: It needs exactly one capturing match. The captured
match will be added to the list of URIs, just the same as if it would
have appeared as a plain, ordinary URI in the message.
Entirely from memory -- down with a cold, can't be arsed to cross-check
my claims today. ;)
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Babelfish obfuscation
Posted by Benny Pedersen <me...@junc.org>.
On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote
> Without checking -- I believe, all you need is a redirector_pattern for
> the IP redirector, to extract the target URI. The list of URIs should
> also contain a cleaned version of the extracted target URI, with the
> escapes converted.
i have had this in mind for so long with alot of spam on yahoo, but
dont know how to make that work :/
--
xpoint
Re: Babelfish obfuscation
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2009-10-05 at 11:06 -0400, Joseph Brennan wrote:
> Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
> then %2E%63%6E for .cn
Without checking -- I believe, all you need is a redirector_pattern for
the IP redirector, to extract the target URI. The list of URIs should
also contain a cleaned version of the extracted target URI, with the
escapes converted.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Babelfish obfuscation
Posted by Benny Pedersen <me...@junc.org>.
On man 05 okt 2009 17:06:19 CEST, Joseph Brennan wrote
> Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
> then %2E%63%6E for .cn
yahoo accept content to be on there ip ?
lets blcok that ip so
--
xpoint
Re: Babelfish obfuscation
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2009-10-05 at 08:27 -0700, John Hardin wrote:
> I guess that's an argument against anchoring CN_EIGHT at the beginning of
> the URI...
No, it is not.
It's an argument for a new redirector_pattern. The extracted target URIs
are provided for uri rules.
Or alternatively, seriously kicking some redirector provider's butts...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Babelfish obfuscation
Posted by Warren Togami <wt...@redhat.com>.
On 10/05/2009 11:27 AM, John Hardin wrote:
> Warren:
>
> I guess that's an argument against anchoring CN_EIGHT at the beginning
> of the URI...
>
I wasn't the one that suggested anchoring.
Did the old rule decode %2E%63%6E as .cn though?
Warren
Re: Babelfish obfuscation
Posted by John Hardin <jh...@impsec.org>.
On Mon, 5 Oct 2009, Joseph Brennan wrote:
>> From spam today:
>
> <a
> href="http://66.196.80.202/babelfish/translate_url_content?.intl=us&lp=es_en&trurl=http://johnnie2006.mcafaloj%2E%63%6E"
> style="text-decoration: none; color: #0099ff;">click here</a>
>
> Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
> then %2E%63%6E for .cn
Warren:
I guess that's an argument against anchoring CN_EIGHT at the beginning of
the URI...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You cannot bring about prosperity by discouraging thrift. You
cannot help small men by tearing down big men. You cannot
strengthen the weak by weakening the strong. You cannot lift the
wage-earner by pulling down the wage-payer. You cannot help the
poor man by destroying the rich. You cannot keep out of trouble by
spending more than your income. You cannot further the brotherhood
of man by inciting class hatred. You cannot establish security on
borrowed money. You cannot build character and courage by taking
away men's initiative and independence. You cannot help men
permanently by doing for them what they could and should do for
themselves. -- William J. H. Boetcker
-----------------------------------------------------------------------
Approximately 9183900 firearms legally purchased in the U.S. this year