You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Robert Menschel <Ro...@Menschel.net> on 2005/04/13 02:57:07 UTC

Re[2]: Arithmetic score for replaced O's and I's?

Hello Matt,

Tuesday, April 12, 2005, 12:08:01 PM, you wrote:

MT> On Tuesday, April 12, 2005 @ 11:42:37 AM [-0700], Chris Conn wrote:

>> Hello,

>> I believe I asked for this a few days ago and was told that I would need
>> to write a plugin to do this =)

MT> Hmmm...shouldn't have to. I know the basic layout of what it should
MT> look like, I just suck at regex. It should be similar to below...

MT> body CHECK_1      (SOME REGEX I DON'T KNOW1)
MT> body CHECK_2      (SOME REGEX I DON'T KNOW2)
MT> body CHECK_3      (SOME REGEX I DON'T KNOW3)
MT> meta LOCAL_MULTIPLE_TESTS (( CHECK_1 + CHECK_2 + CHECK_3) > 3)
MT> score LOCAL_MULTIPLE_TESTS 10

MT> Am I close?

Close.  But you can't get >3 in three rules.

The question is how intelligent do you want to make the rule(s).  If
you want something like 

body  L_PIPE  m'\w\w\|\w\w'
body  L_ZER0  m'\w\w0\w\w'
body  L_VEEE  m'\\/\w'
body  L_AAAA  m'\w/\\\w'
body  L_LONE  m'\w\w1\w\w'
meta  L_OBFU2  L_PIPE + L_ZERO + L_VEEE + L_AAAA + L_LONE > 1

That's easy.  But it might be dangerous.

I'm working on a SARE rule set to test safely for these types of
obfuscations.  Should be done and ready for distribution by end of
month.

Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted 0bfusc@ti0ns, and I'|| f1nd
a 600D horme 4 them...

(Not the entire spam emails, please -- just the obfuscations.)

Bob Menschel

Re[2]: Arithmetic score for replaced O's and I's?

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Keith,

Tuesday, April 12, 2005, 6:10:38 PM, you wrote:

KI> Robert Menschel wrote:

>> The question is how intelligent do you want to make the rule(s).  If
>> you want something like 
>> 
>> body  L_PIPE  m'\w\w\|\w\w'
>> body  L_ZER0  m'\w\w0\w\w'
>> body  L_VEEE  m'\\/\w'
>> body  L_AAAA  m'\w/\\\w'
>> body  L_LONE  m'\w\w1\w\w'
>> meta  L_OBFU2  L_PIPE + L_ZERO + L_VEEE + L_AAAA + L_LONE > 1

KI> Remember that \w matches letters, numbers, and underscores, so 
KI> you'll probably want to use something like [a-z] or [A-Za-z] (or 
KI> [a-z] with a /i modifier at the end of the regex) instead. 
KI> Otherwise you'll wind up triggering on perfect ordinary numbers. 
KI>   Even with [a-z], I'd expect a fair number of false positives.

Definitely.  I considered that with L_PIPE, and figured that was OK.
Then since I wasn't doing real rules anyway, but just an example, I
got lazy and used the \w for the other rules as well, even though
\w\w0\w\w would match 10000.

Bob Menschel

Re: Arithmetic score for replaced O's and I's?

Posted by Keith Ivey <kc...@cpcug.org>.

Robert Menschel wrote:

> The question is how intelligent do you want to make the rule(s).  If
> you want something like 
> 
> body  L_PIPE  m'\w\w\|\w\w'
> body  L_ZER0  m'\w\w0\w\w'
> body  L_VEEE  m'\\/\w'
> body  L_AAAA  m'\w/\\\w'
> body  L_LONE  m'\w\w1\w\w'
> meta  L_OBFU2  L_PIPE + L_ZERO + L_VEEE + L_AAAA + L_LONE > 1

Remember that \w matches letters, numbers, and underscores, so 
you'll probably want to use something like [a-z] or [A-Za-z] (or 
[a-z] with a /i modifier at the end of the regex) instead. 
Otherwise you'll wind up triggering on perfect ordinary numbers. 
  Even with [a-z], I'd expect a fair number of false positives.

-- 
Keith C. Ivey <kc...@cpcug.org>
Washington, DC

Re: Re[4]: Arithmetic score for replaced O's and I's?

Posted by wolfgang <me...@gmx.net>.

In an older episode (Friday 15 April 2005 03:57), Gene Heskett wrote:

> Stupid Q:  As I don't have a 'stock.cf' file in the config dir now, 
> how do I add this to the ammo box?  I have moved it into that config 
> dir, is that sufficient?

it is sufficient if you run the spamassassin executable.
with spamd you would have to restart spamd to load the new config file.

Re: Re[4]: Arithmetic score for replaced O's and I's?

Posted by Gene Heskett <ge...@verizon.net>.

On Thursday 14 April 2005 21:08, wolfgang wrote:
>i attach a set of rules i have been using and improving for a while
> that handle stock spam, especially the || stuff.

Stupid Q:  As I don't have a 'stock.cf' file in the config dir now, 
how do I add this to the ammo box?  I have moved it into that config 
dir, is that sufficient?

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.34% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.

Re: Re[4]: Arithmetic score for replaced O's and I's?

Posted by wolfgang <me...@gmx.net>.

i attach a set of rules i have been using and improving for a while that 
handle stock spam, especially the || stuff.

Re: Arithmetic score for replaced O's and I's?

Posted by Jim Maul <jm...@elih.org>.

Robert Menschel wrote:
> Hello mewolf1,
> 
> Tuesday, April 12, 2005, 6:37:15 PM, you wrote:
> 
> mgn> In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote:
> 
>>>Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted 0bfusc@ti0ns, and
>>>I'|| f1nd a 600D horme 4 them...
>>>
>>>(Not the entire spam emails, please -- just the obfuscations.)
> 
> 
> mgn> Robert, I just sent you obfuscations privately off list, is that
> mgn> what you meant?
> 
> Perfect.  I built rules for them last night and mass-checked them this
> morning. I'll run a few passes to refine them, then have other SARE
> ninja's mass-check to get broader results, and then we'll fine tune
> for performance, and hopefully have something published before end of
> month.
> 
> Other contributions more than welcome.
> 
> Bob Menschel
> 
> 
> 

Something that tries to catch those weird table obfuscations would be 
great ;)  Something like i posted a while back in the "Extra Sare rules 
for meds" thread.  I dont know if this is possible or not but...

-Jim

Re[4]: Arithmetic score for replaced O's and I's?

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello mewolf1,

Tuesday, April 12, 2005, 6:37:15 PM, you wrote:

mgn> In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote:
>> Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted 0bfusc@ti0ns, and
>> I'|| f1nd a 600D horme 4 them...
>> 
>> (Not the entire spam emails, please -- just the obfuscations.)

mgn> Robert, I just sent you obfuscations privately off list, is that
mgn> what you meant?

Perfect.  I built rules for them last night and mass-checked them this
morning. I'll run a few passes to refine them, then have other SARE
ninja's mass-check to get broader results, and then we'll fine tune
for performance, and hopefully have something published before end of
month.

Other contributions more than welcome.

Bob Menschel

Re: Re[2]: Arithmetic score for replaced O's and I's?

Posted by me...@gmx.net.

Sorry, for some reason Kmail shows the text in my 2 previous mails only when 
viewing the message source, some MIME problem apparently. So once more:

In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote:

> Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted 0bfusc@ti0ns, and I'|| 
f1nd
> a 600D horme 4 them...
> 
> (Not the entire spam emails, please -- just the obfuscations.)

Robert, I just sent you obfuscations privately off list, is that what you 
meant?

regards