You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Axb <ax...@gmail.com> on 2014/10/22 11:47:07 UTC
Hacked sites: "dropbox" V.2
uri AXB_URI_MLW_DROPBOX /\/dropbox\/doc\.php$/
score AXB_URI_MLW_DROPBOX 25.0
this rule will probably loose it's teeth pretty fast....
enjoy
Re: Hacked sites: dropbox/googlebox/banking/newgdoc
Posted by Axb <ax...@gmail.com>.
lucky you.. you got it early:
right now:
ygdholdings.com listed on black.uribl.com
ygdholdings.com listed on jp.surbl.org
ygdholdings.com listed on mw.surbl.org
ygdholdings.com listed on uri.invaluement.com
On 11/13/2014 05:49 PM, Paul Stead wrote:
> Recent:
>
> http://www[.]ygdholdings[.]com/bankline/message[.]php
>
> On 08/11/14 15:19, Reindl Harald wrote:
>>
>> Am 04.11.2014 um 11:30 schrieb Axb:
>>> On 11/04/2014 02:31 AM, David Jones wrote:
>>>> Can someone post an example of this latest version to pastebin?
>>>> I filter for over 90,000 mailboxes and don't seem to be experiencing
>>>> this spam or either it's getting blocked by other means. No user
>>>> complaints.
>>>
>>> just sighted:
>>> http://structuresgroup[.]com/dropbox/document[.]php
>>>
>>> structuresgroup.com listed on black.uribl.com
>>> structuresgroup.com listed on uri.invaluement.com
>>>
>>> http://www[.]sunderlandscouts[.]org[.]uk/dropbox/document[.]php
>>>
>>> sunderlandscouts.org.uk listed on black.uribl.com
>>> sunderlandscouts.org.uk listed on uri.invaluement.com
>>>
>>>
>>> http://spschile[.]com/dropbox/document[.]php
>>>
>>> spschile.com listed on black.uribl.com
>>> spschile.com listed on uri.invaluement.com
>>
>> recent:
>> http://www[.]saarthakyatra[.]com/2014%20DOC[.]OBO/newgdoc/index[.]php
>>
>> uri RH_URI_MLW_ZEROHOUR
>> /\/(dropbox|googlebox|banking|newgdoc)\/(document|doc|invoice|index)\.php$/
>>
>>
> --
> Paul Stead
> Systems Engineer
> Zen Internet
Re: Hacked sites: dropbox/googlebox/banking/newgdoc
Posted by Paul Stead <pa...@zeninternet.co.uk>.
Recent:
http://www[.]ygdholdings[.]com/bankline/message[.]php
On 08/11/14 15:19, Reindl Harald wrote:
>
> Am 04.11.2014 um 11:30 schrieb Axb:
>> On 11/04/2014 02:31 AM, David Jones wrote:
>>> Can someone post an example of this latest version to pastebin?
>>> I filter for over 90,000 mailboxes and don't seem to be experiencing
>>> this spam or either it's getting blocked by other means. No user
>>> complaints.
>>
>> just sighted:
>> http://structuresgroup[.]com/dropbox/document[.]php
>>
>> structuresgroup.com listed on black.uribl.com
>> structuresgroup.com listed on uri.invaluement.com
>>
>> http://www[.]sunderlandscouts[.]org[.]uk/dropbox/document[.]php
>>
>> sunderlandscouts.org.uk listed on black.uribl.com
>> sunderlandscouts.org.uk listed on uri.invaluement.com
>>
>>
>> http://spschile[.]com/dropbox/document[.]php
>>
>> spschile.com listed on black.uribl.com
>> spschile.com listed on uri.invaluement.com
>
> recent:
> http://www[.]saarthakyatra[.]com/2014%20DOC[.]OBO/newgdoc/index[.]php
>
> uri RH_URI_MLW_ZEROHOUR
> /\/(dropbox|googlebox|banking|newgdoc)\/(document|doc|invoice|index)\.php$/
>
--
Paul Stead
Systems Engineer
Zen Internet
Re: Hacked sites: dropbox/googlebox/banking/newgdoc
Posted by Reindl Harald <h....@thelounge.net>.
Am 04.11.2014 um 11:30 schrieb Axb:
> On 11/04/2014 02:31 AM, David Jones wrote:
>> Can someone post an example of this latest version to pastebin?
>> I filter for over 90,000 mailboxes and don't seem to be experiencing
>> this spam or either it's getting blocked by other means. No user
>> complaints.
>
> just sighted:
> http://structuresgroup[.]com/dropbox/document[.]php
>
> structuresgroup.com listed on black.uribl.com
> structuresgroup.com listed on uri.invaluement.com
>
> http://www[.]sunderlandscouts[.]org[.]uk/dropbox/document[.]php
>
> sunderlandscouts.org.uk listed on black.uribl.com
> sunderlandscouts.org.uk listed on uri.invaluement.com
>
>
> http://spschile[.]com/dropbox/document[.]php
>
> spschile.com listed on black.uribl.com
> spschile.com listed on uri.invaluement.com
recent:
http://www[.]saarthakyatra[.]com/2014%20DOC[.]OBO/newgdoc/index[.]php
uri RH_URI_MLW_ZEROHOUR
/\/(dropbox|googlebox|banking|newgdoc)\/(document|doc|invoice|index)\.php$/
Re: Hacked sites: dropbox/googlebox/banking
Posted by Axb <ax...@gmail.com>.
On 11/04/2014 02:31 AM, David Jones wrote:
>> ________________________________________
>> From: Reindl Harald <h....@thelounge.net>
>> Sent: Monday, November 3, 2014 4:01 PM
>> To: users@spamassassin.apache.org
>> Subject: Re: Hacked sites: dropbox/googlebox/banking
>
>> Am 03.11.2014 um 22:55 schrieb John Hardin:
>>> On Mon, 3 Nov 2014, Quanah Gibson-Mount wrote:
>>>> --On November 3, 2014 at 7:52:10 AM -0800 John Hardin
>>>> <jh...@impsec.org> wrote:
>>>>
>>>>> On Mon, 3 Nov 2014, Reindl Harald wrote:
>>>>>
>>>>>> in fact we can kill them all by a single rule and so extend it to
>>>>> future
>>>>>>> filenames or foldernames
>>>>>>>> uri RH_URI_MLW_ZEROHOUR
>>>>>> /\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/
>>>>>> score RH_URI_MLW_ZEROHOUR 100
>>>>>
>>>>> Adding a tuned version of this to my sandbox right now.
>>>>
>>>> Care to share the tuned version?
>>>
>>> My rule sandbox is publicly visible via the project SVN browser...
>>>
>>> http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
>>>
>>> But there are signs that this is too quickly-mutating for a standard
>>> rule maintained by sa-update to be useful
>
>> yes, but i guess reporting mutations in this thread after someone faces
>> the next version could be a great improvment - the last 3 versions
>> catched minutes later another messages to users here
>
> Can someone post an example of this latest version to pastebin?
> I filter for over 90,000 mailboxes and don't seem to be experiencing
> this spam or either it's getting blocked by other means. No user complaints.
>
just sighted:
http://structuresgroup[.]com/dropbox/document[.]php
structuresgroup.com listed on black.uribl.com
structuresgroup.com listed on uri.invaluement.com
http://www[.]sunderlandscouts[.]org[.]uk/dropbox/document[.]php
sunderlandscouts.org.uk listed on black.uribl.com
sunderlandscouts.org.uk listed on uri.invaluement.com
http://spschile[.]com/dropbox/document[.]php
spschile.com listed on black.uribl.com
spschile.com listed on uri.invaluement.com
Re: Hacked sites: dropbox/googlebox/banking
Posted by Reindl Harald <h....@thelounge.net>.
Am 04.11.2014 um 02:31 schrieb David Jones:
>> From: Reindl Harald <h....@thelounge.net>
>> Sent: Monday, November 3, 2014 4:01 PM
>> To: users@spamassassin.apache.org
>> Subject: Re: Hacked sites: dropbox/googlebox/banking
>
>> Am 03.11.2014 um 22:55 schrieb John Hardin:
>>> On Mon, 3 Nov 2014, Quanah Gibson-Mount wrote:
>>>> --On November 3, 2014 at 7:52:10 AM -0800 John Hardin
>>>> <jh...@impsec.org> wrote:
>>>>
>>>>> On Mon, 3 Nov 2014, Reindl Harald wrote:
>>>>>
>>>>>> in fact we can kill them all by a single rule and so extend it to
>>>>> future
>>>>>>> filenames or foldernames
>>>>>>>> uri RH_URI_MLW_ZEROHOUR
>>>>>> /\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/
>>>>>> score RH_URI_MLW_ZEROHOUR 100
>>>>>
>>>>> Adding a tuned version of this to my sandbox right now.
>>>>
>>>> Care to share the tuned version?
>>>
>>> My rule sandbox is publicly visible via the project SVN browser...
>>>
>>> http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
>>>
>>> But there are signs that this is too quickly-mutating for a standard
>>> rule maintained by sa-update to be useful
>
>> yes, but i guess reporting mutations in this thread after someone faces
>> the next version could be a great improvment - the last 3 versions
>> catched minutes later another messages to users here
>
> Can someone post an example of this latest version to pastebin?
> I filter for over 90,000 mailboxes and don't seem to be experiencing
> this spam or either it's getting blocked by other means. No user complaints
sorry, deleted after update the rule and because just a plaintext two
liner not saved for bayes-training (could have bad impact for short
legit mail)
since it made it to postmaster maybe killed anyways for other users or
even not would have made it to SA by PTR or other violations and until
now indeed the only appearance with /banking/ - better safe than sorry
however, the typical scheme http://domain/folder/filename.php to a
hacked server
Re: Hacked sites: dropbox/googlebox/banking
Posted by David Jones <dj...@ena.com>.
>________________________________________
>From: Reindl Harald <h....@thelounge.net>
>Sent: Monday, November 3, 2014 4:01 PM
>To: users@spamassassin.apache.org
>Subject: Re: Hacked sites: dropbox/googlebox/banking
>Am 03.11.2014 um 22:55 schrieb John Hardin:
>> On Mon, 3 Nov 2014, Quanah Gibson-Mount wrote:
>>> --On November 3, 2014 at 7:52:10 AM -0800 John Hardin
>>> <jh...@impsec.org> wrote:
>>>
>>>> On Mon, 3 Nov 2014, Reindl Harald wrote:
>>>>
>>>> > in fact we can kill them all by a single rule and so extend it to
>>>> future
>>>>> > filenames or foldernames
>>>>> > > uri RH_URI_MLW_ZEROHOUR
>>>> > /\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/
>>>> > score RH_URI_MLW_ZEROHOUR 100
>>>>
>>>> Adding a tuned version of this to my sandbox right now.
>>>
>>> Care to share the tuned version?
>>
>> My rule sandbox is publicly visible via the project SVN browser...
>>
>> http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
>>
>> But there are signs that this is too quickly-mutating for a standard
>> rule maintained by sa-update to be useful
>yes, but i guess reporting mutations in this thread after someone faces
>the next version could be a great improvment - the last 3 versions
>catched minutes later another messages to users here
Can someone post an example of this latest version to pastebin?
I filter for over 90,000 mailboxes and don't seem to be experiencing
this spam or either it's getting blocked by other means. No user complaints.
Re: Hacked sites: dropbox/googlebox/banking
Posted by Reindl Harald <h....@thelounge.net>.
Am 03.11.2014 um 22:55 schrieb John Hardin:
> On Mon, 3 Nov 2014, Quanah Gibson-Mount wrote:
>> --On November 3, 2014 at 7:52:10 AM -0800 John Hardin
>> <jh...@impsec.org> wrote:
>>
>>> On Mon, 3 Nov 2014, Reindl Harald wrote:
>>>
>>> > in fact we can kill them all by a single rule and so extend it to
>>> future
>>> > filenames or foldernames
>>> > > uri RH_URI_MLW_ZEROHOUR
>>> > /\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/
>>> > score RH_URI_MLW_ZEROHOUR 100
>>>
>>> Adding a tuned version of this to my sandbox right now.
>>
>> Care to share the tuned version?
>
> My rule sandbox is publicly visible via the project SVN browser...
>
> http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
>
> But there are signs that this is too quickly-mutating for a standard
> rule maintained by sa-update to be useful
yes, but i guess reporting mutations in this thread after someone faces
the next version could be a great improvment - the last 3 versions
catched minutes later another messages to users here
Re: Hacked sites: dropbox/googlebox/banking
Posted by John Hardin <jh...@impsec.org>.
On Mon, 3 Nov 2014, Quanah Gibson-Mount wrote:
> --On November 3, 2014 at 7:52:10 AM -0800 John Hardin <jh...@impsec.org>
> wrote:
>
>> On Mon, 3 Nov 2014, Reindl Harald wrote:
>>
>> > in fact we can kill them all by a single rule and so extend it to future
>> > filenames or foldernames
>> >
>> > uri RH_URI_MLW_ZEROHOUR
>> > /\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/
>> > score RH_URI_MLW_ZEROHOUR 100
>>
>> Adding a tuned version of this to my sandbox right now.
>
> Care to share the tuned version?
My rule sandbox is publicly visible via the project SVN browser...
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/
But there are signs that this is too quickly-mutating for a standard rule
maintained by sa-update to be useful.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You know things are bad when Pravda says we [the USA] have gone
too far to the left. -- Joe Huffman
-----------------------------------------------------------------------
8 days until Veterans Day
Re: Hacked sites: dropbox/googlebox/banking
Posted by Quanah Gibson-Mount <qu...@zimbra.com>.
--On November 3, 2014 at 7:52:10 AM -0800 John Hardin <jh...@impsec.org>
wrote:
> On Mon, 3 Nov 2014, Reindl Harald wrote:
>
>> in fact we can kill them all by a single rule and so extend it to future
>> filenames or foldernames
>>
>> uri RH_URI_MLW_ZEROHOUR
>> /\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/
>> score RH_URI_MLW_ZEROHOUR 100
>
> Adding a tuned version of this to my sandbox right now.
Care to share the tuned version?
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Re: Hacked sites: dropbox/googlebox/banking
Posted by John Hardin <jh...@impsec.org>.
On Mon, 3 Nov 2014, Reindl Harald wrote:
> in fact we can kill them all by a single rule and so extend it to future
> filenames or foldernames
>
> uri RH_URI_MLW_ZEROHOUR
> /\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/
> score RH_URI_MLW_ZEROHOUR 100
Adding a tuned version of this to my sandbox right now.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the good of having the government prohibited from doing harm
far outweighs the harm of having it obstructed from doing good.
-- Mike@mike-istan
-----------------------------------------------------------------------
8 days until Veterans Day
Re: Hacked sites: dropbox/googlebox/banking
Posted by Reindl Harald <h....@thelounge.net>.
in fact we can kill them all by a single rule and so extend it to future
filenames or foldernames
uri RH_URI_MLW_ZEROHOUR
/\/(dropbox|googlebox|banking)\/(document|doc|invoice)\.php$/
score RH_URI_MLW_ZEROHOUR 100
Am 03.11.2014 um 15:53 schrieb Reindl Harald:
> Am 30.10.2014 um 16:56 schrieb Marieke Janssen:
>> uri AXB_URI_MLW_DROPBOX /\/dropbox\/(document|doc|invoice)\.php$/
>> score AXB_URI_MLW_DROPBOX 100
>>
>> uri RH_URI_MLW_GOOGLEBOX1 /\/googlebox\/(document|doc|invoice)\.php$/
>> score RH_URI_MLW_GOOGLEBOX1 100
>>
>> added invoice.php
>>
>>> Am 22.10.2014 um 11:47 schrieb Axb:
>>>> uri AXB_URI_MLW_DROPBOX /\/dropbox\/doc\.php$/
>>>> score AXB_URI_MLW_DROPBOX 25.0
>>>>
>>>> this rule will probably loose it's teeth pretty fast....
>>
>>> thanks, the same applies to "googlebox"
>>
>>> uri RH_URI_MLW_GOOGLEBOX1 /\/googlebox\/document\.php$/
>>> score RH_URI_MLW_GOOGLEBOX1 100
>>> uri RH_URI_MLW_GOOGLEBOX2 /\/googlebox\/doc\.php$/
>>> score RH_URI_MLW_GOOGLEBOX2 100
>
> and the next one with "Payment Advice" subjects recently hitted our
> postmaster account, same scheme
>
> uri RH_URI_MLW_BANKING /\/banking\/(document|doc|invoice)\.php$/
> score RH_URI_MLW_BANKING 100
Re: Hacked sites: "dropbox" V.2
Posted by Reindl Harald <h....@thelounge.net>.
Am 30.10.2014 um 16:56 schrieb Marieke Janssen:
> uri AXB_URI_MLW_DROPBOX /\/dropbox\/(document|doc|invoice)\.php$/
> score AXB_URI_MLW_DROPBOX 100
>
> uri RH_URI_MLW_GOOGLEBOX1 /\/googlebox\/(document|doc|invoice)\.php$/
> score RH_URI_MLW_GOOGLEBOX1 100
>
> added invoice.php
>
>> Am 22.10.2014 um 11:47 schrieb Axb:
>>> uri AXB_URI_MLW_DROPBOX /\/dropbox\/doc\.php$/
>>> score AXB_URI_MLW_DROPBOX 25.0
>>>
>>> this rule will probably loose it's teeth pretty fast....
>
>> thanks, the same applies to "googlebox"
>
>> uri RH_URI_MLW_GOOGLEBOX1 /\/googlebox\/document\.php$/
>> score RH_URI_MLW_GOOGLEBOX1 100
>> uri RH_URI_MLW_GOOGLEBOX2 /\/googlebox\/doc\.php$/
>> score RH_URI_MLW_GOOGLEBOX2 100
and the next one with "Payment Advice" subjects recently hitted our
postmaster account, same scheme
uri RH_URI_MLW_BANKING /\/banking\/(document|doc|invoice)\.php$/
score RH_URI_MLW_BANKING 100
RE: Hacked sites: "dropbox" V.2
Posted by Marieke Janssen <mj...@myguard.nl>.
Hello,
uri AXB_URI_MLW_DROPBOX /\/dropbox\/(document|doc|invoice)\.php$/
score AXB_URI_MLW_DROPBOX 100
uri RH_URI_MLW_GOOGLEBOX1 /\/googlebox\/(document|doc|invoice)\.php$/
score RH_URI_MLW_GOOGLEBOX1 100
added invoice.php
/MJ
>Am 22.10.2014 um 11:47 schrieb Axb:
>> uri AXB_URI_MLW_DROPBOX /\/dropbox\/doc\.php$/
>> score AXB_URI_MLW_DROPBOX 25.0
>>
>> this rule will probably loose it's teeth pretty fast....
>thanks, the same applies to "googlebox"
>uri RH_URI_MLW_GOOGLEBOX1 /\/googlebox\/document\.php$/
>score RH_URI_MLW_GOOGLEBOX1 100
>uri RH_URI_MLW_GOOGLEBOX2 /\/googlebox\/doc\.php$/
>score RH_URI_MLW_GOOGLEBOX2 100
Re: Hacked sites: "dropbox" V.2
Posted by Reindl Harald <h....@thelounge.net>.
Am 22.10.2014 um 11:47 schrieb Axb:
> uri AXB_URI_MLW_DROPBOX /\/dropbox\/doc\.php$/
> score AXB_URI_MLW_DROPBOX 25.0
>
> this rule will probably loose it's teeth pretty fast....
thanks, the same applies to "googlebox"
uri RH_URI_MLW_GOOGLEBOX1 /\/googlebox\/document\.php$/
score RH_URI_MLW_GOOGLEBOX1 100
uri RH_URI_MLW_GOOGLEBOX2 /\/googlebox\/doc\.php$/
score RH_URI_MLW_GOOGLEBOX2 100