You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2018/11/13 01:20:07 UTC
URI_HEX fp
Hi, this doesn't look like it should be considered a hex URI.
Nov 12 20:14:16.376 [15295] dbg: rules: ran uri rule URI_HEX ======>
got hit: "https://api-89c8e17d"
Nov 12 20:14:16.379 [15295] dbg: rules: ran uri rule
__LOCAL_PP_NONPPURL ======> got hit:
"https://api-89c8e17d.duosecurity.com"
Re: URI_HEX fp
Posted by John Hardin <jh...@impsec.org>.
On Mon, 12 Nov 2018, Alex wrote:
> Hi, this doesn't look like it should be considered a hex URI.
>
> Nov 12 20:14:16.376 [15295] dbg: rules: ran uri rule URI_HEX ======>
> got hit: "https://api-89c8e17d"
That satisfies the description:
describe URI_HEX URI hostname has long hexadecimal sequence
It's not "is pure hex", it's "contains long hex".
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance is no excuse for a law.
-----------------------------------------------------------------------
592 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: URI_HEX fp
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2018-11-12 at 20:20 -0500, Alex wrote:
> Hi, this doesn't look like it should be considered a hex URI.
>
> Nov 12 20:14:16.376 [15295] dbg: rules: ran uri rule URI_HEX ======>
> got hit: "https://api-89c8e17d"
>
I didn't get any joy from playing with this one. By assuming that it
89c9e17d is a set of four x two 2 digit hex numbers, converting to
decimal and adding the dots, gives 137.200.225.125 which looks like an
IP (137.200.225.125) but 'host' says it doesn't resolve: 3(NXDOMAIN)
Similarly 'host' couldn't resolve api-89c8e17d into an IP address,
though it is evidently a private subdomain of duosecurity.com. See
below.
> Nov 12 20:14:16.379 [15295] dbg: rules: ran uri rule
> __LOCAL_PP_NONPPURL ======> got hit:
> "https://api-89c8e17d.duosecurity.com"
>
Looking this up with 'host' got me the IP 54.241.191.167
and a reverse lookup on that resolves it to:
ec2-54-241-191-167.us-west-1.compute.amazonaws.com.
IOW, its probably a good thing that it SA does think these are hex
addresses that can fire URI rules.
Martin