You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Florian Lagg <fl...@lagg.at> on 2009/01/07 16:46:44 UTC
Spam with clean URI's which forward to DNSBListed URL (by HTML redirect header)
Hello!
In the last few days my Spamassassign does not filter a (for me) new kind of
spam. I have an idea how to fight this spam and want to ask the list if this
is possible with SA.
First a short analysis of what's going on:
1st fact: I get mails like this one:
-----------------------
Subject: We wish you a wealthy New Year!
Text:
We are offering fantastic Christmas present for our new players who register
with us. Sign up now and get your holiday bonus worth $200.
http://neurotika.net/2009.php
-----------------------
It gets X-Spam_score: -1.1
because of:
-1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
[score: 0.0482]
Most of this Mails get a score near 0 or lower.
2nd fact: HTTP Error 302
The URI and Subject/Text in this Mail changes in every mail.
Interesting is the URI. I think it's a php-file uploaded by a kind of
webserver attack or virus (doesn't matter here).
This file sends a 302 Moved Temporarily and sends the browser to
http://58.65.232.17/~casino/
3rd fact: How we could identify this Mails as Spam:
The URL we get by the 302 error cold be checked against DNSBL which results
in a hit on many lists.
So - if possible - I want spamassassign to:
1. Request the links in the mail body and check them for http-error 302 or
meta redirects
2. Check the links we got by doing this against some DNSBL's
Is this possible? Is there a reason why we shouldn't do this?
Is there a better way to identify that spam mails? (Below I have some more
examples)
I know this could be a performance problem - but if this feature is possible
I want to turn this on for my server. I agree this shouldn't be on by
default.
I use:
SpamAssassin version 3.2.5
running on Perl version 5.8.8
With these update channels:
updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_genlsubj_x30.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_zmi_german.cf.zmi.sa-update.dostech.net
88_FVGT_Bayes_Poison.cf.sare.sa-update.dostech.net
88_FVGT_Tripwire.cf.sare.sa-update.dostech.net
88_FVGT_rawbody.cf.sare.sa-update.dostech.net
88_FVGT_subject.cf.sare.sa-update.dostech.net
chickenpox.cf.sare.sa-update.dostech.net
Thanks in advance for your comments.
--
Florian Lagg
-
Florian Lagg - IT-Komplettlösungen
Juch 7, 6631 Lermoos
tel +43 (676) 344 677 5
<http://www.lagg.at/> www.lagg.at - <ma...@lagg.at> info@lagg.at
-
Xing: <http://www.xing.com/go/invite/7372113.3da562>
http://www.xing.com/go/invite/7372113.3da562
-
More examples:
------------------------------
Hey! Do you believe that when New Year Eve comes all dreams come true? If
you don\'t, we can assure you that it is right as we are giving you
unbelievable bonuses upon registration.
http://florafloricultura.com.br/2009.php
------------------------------
Santa is very generous this year and he is ready to give the welcome bonuses
even to those players who have been naughty this year. So don't miss your
chance and hurry to register with us.
http://terraverde-rj.org/2009.php
------------------------------
Santa Claus is coming to town and bringing amazing bonuses for all the lucky
customers that sign in now. So hurry to pick your Christmas bonus now!
http://creationsitecms.com/2009.php
------------------------------
We have wonderful betting limits for you - from $1 to $1000 - so even if you
are broke, you still can play with us. Isn\'t that just a Christmas miracle?
http://soldavila.com/2009.php
------------------------------
Re: Spam with clean URI's which forward to DNSBListed URL (by HTML
redirect header)
Posted by Rob McEwen <ro...@invaluement.com>.
Florian Lagg wrote:
> In the last few days my Spamassassign does not filter a (for me) new
> kind of spam. I have an idea how to fight this spam and want to ask
> the list if this is possible with SA.
>
> <snip>
>
> More examples:
> ------------------------------
> Hey! Do you believe that when New Year Eve comes all dreams come true? If you don\'t, we can assure you that it is right as we are giving you unbelievable bonuses upon registration.
>
> http://florafloricultura.com.br/2009.php
>
This one is not on surbl or uribl, but blacklisted on ivmURI at
1/5/2009, 11:19:51 PM EST, fwiw
> ------------------------------
> Santa is very generous this year and he is ready to give the welcome bonuses even to those players who have been naughty this year. So don't miss your chance and hurry to register with us.
>
> http://terraverde-rj.org/2009.php
>
This one is not on surbl or uribl or ivmURI, but listed on URIBL-RED, fwiw
> ------------------------------
> Santa Claus is coming to town and bringing amazing bonuses for all the lucky customers that sign in now. So hurry to pick your Christmas bonus now!
>
> http://creationsitecms.com/2009.php
>
...unfortunately, I can't find this on any URI blacklist.
> ------------------------------
> We have wonderful betting limits for you - from $1 to $1000 - so even if you are broke, you still can play with us. Isn\'t that just a Christmas miracle?
>
> http://soldavila.com/2009.php
> ------------------------------
>
This one is not on surbl or uribl, but blacklisted on ivmURI at
1/6/2009, 7:16:50 AM EST, fwiw
SUMMARY: Of your 4 extra examples, 2 are listed on ivmURI, and 1 is
listed on URIBL-RED.
NOTE: If you report a URIBL-RED False Positive, they'll tell you that it
really isn't a FP because URIBL-RED is an experimental list. Still, I
think that URIBL-RED is worthy of use, even if scored a tiny bit below
URIBL-BLACK.
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: Spam with clean URI's which forward to DNSBListed URL (by HTML
redirect header)
Posted by Benny Pedersen <me...@junc.org>.
On Wed, January 7, 2009 19:05, Raymond Dijkxhoorn wrote:
> Besides that, its a perfect way to ack your address to them. If they
> make a url like blah.at.blah.com and thats corresponding to your
> address, like this or url encoded they know your address is
> active, real handy.
it olso works on spamtraps, real handy
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Spam with clean URI's which forward to DNSBListed URL (by HTML
redirect header)
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> Besides the DDOS issue, there's a privacy issue, which is messy with
> DNSBLs already. Nothing SA does should send network traffic to a place
> controlled by the mail sender. Checking a DNSBL for which there's some
> reason to believe they aren't underhanded is one thing, but fetching
> stuff from a spammer's site, or enabling a backdoor delivery
> confirmation is IMHO not ok.
Besides that, its a perfect way to ack your address to them. If they make
a url like blah.at.blah.com and thats corresponding to your address, like
this or url encoded they know your address is active, real handy.
Bye,
Raymond.
Re: Spam with clean URI's which forward to DNSBListed URL (by HTML
redirect header)
Posted by Henrik K <he...@hege.li>.
On Wed, Jan 07, 2009 at 12:44:39PM -0500, Greg Troxel wrote:
>
> Besides the DDOS issue, there's a privacy issue, which is messy with
> DNSBLs already. Nothing SA does should send network traffic to a place
> controlled by the mail sender. Checking a DNSBL for which there's some
> reason to believe they aren't underhanded is one thing, but fetching
> stuff from a spammer's site, or enabling a backdoor delivery
> confirmation is IMHO not ok.
I guess if someone wants such feature, it's simple to code. But I doubt it
catches anything that you couldn't otherwise detect. ClamAV also has a silly
MailFollowURLs option..
Re: Spam with clean URI's which forward to DNSBListed URL (by HTML redirect header)
Posted by Greg Troxel <gd...@ir.bbn.com>.
Besides the DDOS issue, there's a privacy issue, which is messy with
DNSBLs already. Nothing SA does should send network traffic to a place
controlled by the mail sender. Checking a DNSBL for which there's some
reason to believe they aren't underhanded is one thing, but fetching
stuff from a spammer's site, or enabling a backdoor delivery
confirmation is IMHO not ok.
AW: Spam with clean URI's which forward to DNSBListed URL (by HTML redirect header)
Posted by Florian Lagg <fl...@lagg.at>.
> You can look at the WebRedirect plugin on
> http://wiki.apache.org/spamassassin/CustomPlugins
>
> Possible? Sure.
> Should? Not unless you want to turn your (and anyone else
> running that code's)
> machine into a DDoS client.
>
> In other words, while it's possible to shoot yourself in
> the face, it's really
> not a good idea to do so.
>
> There are various WARNING: PRIVACY AND TECHNICAL ISSUES listed in the
> plugin. I used the plugin for a while, but stopped using it when the
> number of hits dropped off.
>
> -jeff
Thank you guys. You're perfectly right.
It is a privacy issue. I will not use this plugin. Thanks for your
clarifications.
What else can I do?
Is it enough to train the bayes filters on this (currently it has <200 mails
trained because I'm almost the only one who is training the filter on my
server and I do get less spam)?
Thanks for your effort.
Greetings
Florian
Re: Spam with clean URI's which forward to DNSBListed URL (by HTML redirect header)
Posted by Jeff Mincy <je...@delphioutpost.com>.
From: Theo Van Dinter <fe...@apache.org>
Date: Wed, 7 Jan 2009 11:36:18 -0500
On Wed, Jan 07, 2009 at 04:46:44PM +0100, Florian Lagg wrote:
> So - if possible - I want spamassassign to:
> 1. Request the links in the mail body and check them for http-error 302 or
> meta redirects
> 2. Check the links we got by doing this against some DNSBL's
>
> Is this possible? Is there a reason why we shouldn't do this?
You can look at the WebRedirect plugin on
http://wiki.apache.org/spamassassin/CustomPlugins
Possible? Sure.
Should? Not unless you want to turn your (and anyone else running that code's)
machine into a DDoS client.
In other words, while it's possible to shoot yourself in the face, it's really
not a good idea to do so.
There are various WARNING: PRIVACY AND TECHNICAL ISSUES listed in the
plugin. I used the plugin for a while, but stopped using it when the
number of hits dropped off.
-jeff
Re: Spam with clean URI's which forward to DNSBListed URL (by HTML redirect header)
Posted by Theo Van Dinter <fe...@apache.org>.
On Wed, Jan 07, 2009 at 04:46:44PM +0100, Florian Lagg wrote:
> So - if possible - I want spamassassign to:
> 1. Request the links in the mail body and check them for http-error 302 or
> meta redirects
> 2. Check the links we got by doing this against some DNSBL's
>
> Is this possible? Is there a reason why we shouldn't do this?
Possible? Sure.
Should? Not unless you want to turn your (and anyone else running that code's)
machine into a DDoS client.
In other words, while it's possible to shoot yourself in the face, it's really
not a good idea to do so.
--
Randomly Selected Tagline:
"Where are all the great pot head writers? There aren't any. Because no
one wants to read a book about the most delicious twinkie."
- Dave Attell, Insomniac, New York City, 2001