You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2010/04/17 20:25:14 UTC
More freemail URI spam
Hi,
I'm hoping someone can help me with a rule to catch URI spam variation
from freemail domains:
http://pastebin.com/SkrKykYj
This one is another urlshortener. How is this class of redirection
spam being stopped by everyone these days?
I've tried to adapt the ones I have, but this is very generic. I guess
it's so generic that it has a lot of similarities with valid hotmail
email, thus causing BAYES_50?
How are these messages being sent? Through compromised legitimate
hotmail accounts? Someone from a remote network connects to hotmail
via SMTP directly, authorizes themselves as a user of a compromised
account (SMTP auth?), then pipes their spam through their server as
that user?
Thanks,
Alex
Re: More freemail URI spam
Posted by Jonas Eckerman <jo...@frukt.org>.
On 2010-04-17 21:04, Alex wrote:
> Maybe someone knows of a list of all the URL shorteners to be used in
> a combo uri/meta rule?
I very much doubt that you'll find a list of *all* the URL shorteners.
New ones crops up all the time, and old ones disappears.
Marc Perkel posted about a DNS based list he's hosting a while back. I'm
attaching that message to this one.
Regards
/Jonas
--
Jonas Eckerman
Fruktträdet & Förbundet Sveriges Dövblinda
http://www.fsdb.org/
http://www.frukt.org/
http://whatever.frukt.org/
RE: More freemail URI spam
Posted by "Rosenbaum, Larry M." <ro...@ornl.gov>.
> Generally speaking, anything deemed worthwhile is added to SA proper
> (unless there's a licensing question). The exceptions come from
> automated rules (like Sought, MBL, SARE 2tld, and Khop-sc-neighbors),
90_2tld.cf has been replaced by the official rule file 20_aux_tlds.cf. From the comments in that file:
# This file replaces the SARE http://www.rulesemporium.com/rules/90_2tld.cf
# which will be deprecated as from 2010-05-01
Re: More freemail URI spam
Posted by Adam Katz <an...@khopis.com>.
On 04/18/2010 11:15 PM, Alex wrote:
> Incidentally, are there other "CustomRulesets" that you think should
> or shouldn't be used?
>
> http://wiki.apache.org/spamassassin/CustomRulesets
>
> At the least, the Chickpox and backhair, by the same author, should
> noted on this page that they're no longer recommended, in the same
> way sa-blacklist or others are listed.
Sought and MBL are still active. My stuff is active but I haven't
gotten around to posting there. I'm not sure if anything else there is
active. Lots of it IS posted with date info or listed as inactive or
otherwise ill advised. Lots more is NOT.
If we can determine what each one's status is, we might get a volunteer
(maybe me) to go in and update it. Back-dating would require looking at
the wiki history.
Generally speaking, anything deemed worthwhile is added to SA proper
(unless there's a licensing question). The exceptions come from
automated rules (like Sought, MBL, SARE 2tld, and Khop-sc-neighbors),
plugin-dependent rules, and language-specific rules (if you happen to be
an outlier who receives things in those languages and need help
distinguishing ham from spam, but textcat and relaycountry are
preferable if you don't get ham in that language).
Re: More freemail URI spam
Posted by Alex <my...@gmail.com>.
Hi,
>> Yes, big help. That did it, using the default scores. This was
>> written a number of years ago. Do you think it's still safe to use
>> the default scores?
>
> NO!
>
> I put some of the (previously) better-performing chickenpox rules into
> my sandbox a while ago to investigate this. It's still there:
Incidentally, are there other "CustomRulesets" that you think should
or shouldn't be used?
http://wiki.apache.org/spamassassin/CustomRulesets
At the least, the Chickpox and backhair, by the same author, should
noted on this page that they're no longer recommended, in the same way
sa-blacklist or others are listed.
It's also a bit strange that among all the antiquated rule sets is the
sought rules, as if it were just another third-party static rules
file.
Thanks,
Alex
Re: More freemail URI spam
Posted by Jonas Eckerman <jo...@frukt.org>.
On 2010-04-17 23:51, Alex wrote:
>> Somebody on this list wrote a parser to actually parse shorteners to
>> their obscured URLs.
> That would sure be great. I hadn't seen that, but would like to know
> more about it. Sounds like a better solution...
That'd be me. It's a plugin called URLRedirect and it's available at
<http://whatever.frukt.org/spamassassin.text.shtml>
It can use Marc's DNS based URL shortener list.
Regards
/Jonas
--
Jonas Eckerman
Fruktträdet & Förbundet Sveriges Dövblinda
http://www.fsdb.org/
http://www.frukt.org/
http://whatever.frukt.org/
Re: More freemail URI spam
Posted by Alex <my...@gmail.com>.
Hi,
>> Yes, big help. That did it, using the default scores. This was
>> written a number of years ago. Do you think it's still safe to use
>> the default scores?
>
> NO!
>
> I put some of the (previously) better-performing chickenpox rules into
> my sandbox a while ago to investigate this. It's still there:
Okay, great, thanks for the follow-up. I'll be sure to not use those
and concentrate on the URL shortener improvements.
> Somebody on this list wrote a parser to actually parse shorteners to
> their obscured URLs.
That would sure be great. I hadn't seen that, but would like to know
more about it. Sounds like a better solution...
> I've checked in a test at r935257 http://tinyurl.com/sa-r935257 (using
> a shortened link seemed appropriate here). This adds two rules,
> URL_SHORTENER (which detects a known URL shortening service) and
> SHORT_URL (which notices a particularly short ccTLD link that does NOT
> use a known shortening service).
That's great. I still need to learn more about how masschecks works to
understand the output from what you've posted, but will continue to
follow it.
Thanks,
Alex
Re: More freemail URI spam
Posted by Adam Katz <an...@khopis.com>.
>> You might want to look into the old Chickenpox rule.
On 04/17/2010 03:04 PM, Alex wrote:
> Yes, big help. That did it, using the default scores. This was
> written a number of years ago. Do you think it's still safe to use
> the default scores?
NO!
I put some of the (previously) better-performing chickenpox rules into
my sandbox a while ago to investigate this. It's still there:
Now: http://ruleqa.spamassassin.org/?rule=/CHICKENPOX
2004: http://wiki.apache.org/spamassassin/MasscheckChickenpox
They are abysmal; the best S/O was 0.339, which means it hit more ham
than spam.
> I still wish I had a better grasp on regex so I could write a
> correct rule to catch these, as I think that is probably the best
> approach. Maybe someone knows of a list of all the URL shorteners to
> be used in a combo uri/meta rule?
>
> Since the whole point is to shorten the URL, I bet I could write
> something that categorically checks for a URL that's short -- small
> host part plus small pathname...
Somebody on this list wrote a parser to actually parse shorteners to
their obscured URLs. You're looking at something far simpler, which we
can certainly try.
I've checked in a test at r935257 http://tinyurl.com/sa-r935257 (using
a shortened link seemed appropriate here). This adds two rules,
URL_SHORTENER (which detects a known URL shortening service) and
SHORT_URL (which notices a particularly short ccTLD link that does NOT
use a known shortening service).
Re: More freemail URI spam
Posted by John Hardin <jh...@impsec.org>.
On Sat, 17 Apr 2010, Alex wrote:
>>> http://pastebin.com/SkrKykYj
>>
>> You might want to look into the old Chickenpox rule.
>
> Yes, big help. That did it, using the default scores. This was written
> a number of years ago. Do you think it's still safe to use the default
> scores?
I think the problems that Chicken pox has recently are primarily due to
non-English languages. If your mail stream includes non-English text, you
might look into the FP rate and consider a meta with the charset or some
other language indicator to reduce the score for it on non-English
messages.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our government should bear in mind the fact that the American
Revolution was touched off by the then-current government
attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
2 days until the 235th anniversary of The Shot Heard 'Round The World
Re: More freemail URI spam
Posted by Alex <my...@gmail.com>.
Hi,
>> http://pastebin.com/SkrKykYj
>
> You might want to look into the old Chickenpox rule.
Yes, big help. That did it, using the default scores. This was written
a number of years ago. Do you think it's still safe to use the default
scores?
I still wish I had a better grasp on regex so I could write a correct
rule to catch these, as I think that is probably the best approach.
Maybe someone knows of a list of all the URL shorteners to be used in
a combo uri/meta rule?
Since the whole point is to shorten the URL, I bet I could write
something that categorically checks for a URL that's short -- small
host part plus small pathname...
Thanks,
Alex
Re: More freemail URI spam
Posted by John Hardin <jh...@impsec.org>.
On Sat, 17 Apr 2010, Alex wrote:
> I'm hoping someone can help me with a rule to catch URI spam variation
> from freemail domains:
>
> http://pastebin.com/SkrKykYj
You might want to look into the old Chickenpox rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ten-millimeter explosive-tip caseless, standard light armor
piercing rounds. Why?
-----------------------------------------------------------------------
2 days until the 235th anniversary of The Shot Heard 'Round The World