You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2018/11/13 01:20:07 UTC

URI_HEX fp

Hi, this doesn't look like it should be considered a hex URI.

Nov 12 20:14:16.376 [15295] dbg: rules: ran uri rule URI_HEX ======>
got hit: "https://api-89c8e17d"

Nov 12 20:14:16.379 [15295] dbg: rules: ran uri rule
__LOCAL_PP_NONPPURL ======> got hit:
"https://api-89c8e17d.duosecurity.com"

Re: URI_HEX fp

Posted by John Hardin <jh...@impsec.org>.

On Mon, 12 Nov 2018, Alex wrote:

> Hi, this doesn't look like it should be considered a hex URI.
>
> Nov 12 20:14:16.376 [15295] dbg: rules: ran uri rule URI_HEX ======>
> got hit: "https://api-89c8e17d"

That satisfies the description:

describe URI_HEX	URI hostname has long hexadecimal sequence

It's not "is pure hex", it's "contains long hex".


-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Ignorance is no excuse for a law.
-----------------------------------------------------------------------
  592 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: URI_HEX fp

Posted by Martin Gregorie <ma...@gregorie.org>.

On Mon, 2018-11-12 at 20:20 -0500, Alex wrote:
> Hi, this doesn't look like it should be considered a hex URI.
> 
> Nov 12 20:14:16.376 [15295] dbg: rules: ran uri rule URI_HEX ======>
> got hit: "https://api-89c8e17d"
> 
I didn't get any joy from playing with this one. By assuming that it
89c9e17d is a set of four x two 2 digit hex numbers, converting to
decimal and adding the dots, gives 137.200.225.125 which looks like an
IP (137.200.225.125) but 'host' says it doesn't resolve: 3(NXDOMAIN) 

Similarly 'host' couldn't resolve api-89c8e17d into an IP address,
though it is evidently a private subdomain of duosecurity.com. See
below.

> Nov 12 20:14:16.379 [15295] dbg: rules: ran uri rule
> __LOCAL_PP_NONPPURL ======> got hit:
> "https://api-89c8e17d.duosecurity.com"
>
Looking this up with 'host' got me the IP 54.241.191.167 
and a reverse lookup on that resolves it to:

ec2-54-241-191-167.us-west-1.compute.amazonaws.com.

IOW, its probably a good thing that it SA does think these are hex
addresses that can fire URI rules.

Martin