You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by martin smith <ma...@ntlworld.com> on 2005/03/05 00:47:04 UTC
SURBL missing this spam
I must have received this spam 12 times or more in the last 24 hours and
even though its listed on the SURBL, spamassassin fails to match it against
them.
When I submit the spams to spamcop it parses the url everytime.
SURBL seems to work on all other spams, just wondering if they have found a
way to avoid spamassassin catching the URL.
Martin
Received: from localhost by marti.mine.nuwith SpamAssassin (version
3.0.2);Fri, 04 Mar 2005 19:41:42 +0000
From: "Valium $69.95, Cialis $89.95, Viagra $69.95, Phen $69.95, Soma
$59.95" <mo...@bigpuns.com>
To: <jm...@lineone.net>
Subject: **SPAM** RE: Refill
Date: Fri, 04 Mar 2005 14:44:12 -0500
Message-Id: <00...@qf.lzd>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on marti.mine.nu
X-Spam-Level: **************
X-Spam-Status: Yes, score=14.2 required=5.0
tests=BAYES_99,HTML_90_100,HTML_IMAGE_ONLY_12,HTML_MESSAGE,RAZOR2_CF_RANGE_5
1_100,RAZOR2_CHECK,RCVD_IN_NERDS_KR autolearn=no
MIME-Version: 1.0
Content-Type: text/plain
X-UIDL: j4n!!]Si"!ICE!!2o0"!
Spam detection software, running on the system "marti.mine.nu", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
postmaster@marti.mine.nu for details.
Content preview: ONLINE PHARMACY Next-Day Shipping! Buy from the
Leading Online Pharmacy! [...]
Content analysis details: (14.2 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.2 HTML_90_100 BODY: Message is 90% to 100% HTML
2.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
0.2 HTML_MESSAGE BODY: HTML included in message
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
4.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
2.4 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
3.5 RCVD_IN_NERDS_KR RBL: Received from South Korea
[222.109.74.199 listed in zz.countries.nerd.dk]
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
Re: SURBL missing this spam
Posted by Bill Landry <bi...@pointshare.com>.
----- Original Message -----
From: "Bill Landry" <bi...@pointshare.com>
> > I must have received this spam 12 times or more in the last 24 hours and
> > even though its listed on the SURBL, spamassassin fails to match it
> against
> > them.
> > When I submit the spams to spamcop it parses the url everytime.
> > SURBL seems to work on all other spams, just wondering if they have
found
> a
> > way to avoid spamassassin catching the URL.
> >
> > Martin
>
> Hmmm, that does seem strange. Didn't get caught here, either. However:
>
> crazyrxl0wprices.com.multi.surbl.org. 2100 IN A 127.0.0.114
>
> So http://crazyrxl0wprices.com is listed on several of the SURBL multi
> lists. Let's see if this message gets flagged or not...
Yep, caught by all SURBL multi lists that compound to equal 127.0.0.114:
URIBL_AB_SURBL, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SC_SURBL
Don't know why the domain was not flagged on the message you forwarded to
the SA list, it clearly showed up in the message source file.
Bill
Re: SURBL missing this spam
Posted by Bill Landry <bi...@pointshare.com>.
----- Original Message -----
From: "martin smith" <ma...@ntlworld.com>
> I must have received this spam 12 times or more in the last 24 hours and
> even though its listed on the SURBL, spamassassin fails to match it
against
> them.
> When I submit the spams to spamcop it parses the url everytime.
> SURBL seems to work on all other spams, just wondering if they have found
a
> way to avoid spamassassin catching the URL.
>
> Martin
Hmmm, that does seem strange. Didn't get caught here, either. However:
crazyrxl0wprices.com.multi.surbl.org. 2100 IN A 127.0.0.114
So http://crazyrxl0wprices.com is listed on several of the SURBL multi
lists. Let's see if this message gets flagged or not...
Bill
Re: [SPAM-TAG] SURBL missing this spam
Posted by Bill Landry <bi...@pointshare.com>.
----- Original Message -----
From: "Jeff Chan" <je...@surbl.org>
> On Friday, March 4, 2005, 3:47:04 PM, martin smith wrote:
> > I must have received this spam 12 times or more in the last 24 hours and
> > even though its listed on the SURBL, spamassassin fails to match it
against
> > them.
> > When I submit the spams to spamcop it parses the url everytime.
> > SURBL seems to work on all other spams, just wondering if they have
found a
> > way to avoid spamassassin catching the URL.
>
> > Martin
>
> The URI is a little unusual, with a missing port number after the
> colon:
>
> http://crazyrxl0wprices-MUNGED.com:/
>
> Maybe that syntax is throwing off SA?
Ah, good catch, I hadn't even noticed the trailing ":".
Bill
Re: [SPAM-TAG] SURBL missing this spam
Posted by Theo Van Dinter <fe...@kluge.net>.
On Sat, Mar 05, 2005 at 11:07:22AM +0100, Raymond Dijkxhoorn wrote:
> Any ETA on 3.1 ?
Nothing official. We're planning a bug fix fest (or whatever you want to call
it) later this coming week, and we'll have to figure out what is left for 3.1
versus what can get punted to 3.2. There's also the whole score generation
thing as well as a week or so of 3.1 release candidates. So I'd say a minimum
of 1 month if we go gung ho for the next week or two and get it all together.
I, and several other people, have been dogfooding the 3.1 code for a while
though, and it's pretty stable already. FWIW.
--
Randomly Generated Tagline:
Disappearing Tagline! (Just hit "Enter". Try it now!)
Re: [SPAM-TAG] SURBL missing this spam
Posted by Jeff Chan <je...@surbl.org>.
On Saturday, March 5, 2005, 2:07:22 AM, Raymond Dijkxhoorn wrote:
>>> http://crazyrxl0wprices-MUNGED.com:/
>>>
>>> Maybe that syntax is throwing off SA?
>> Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine,
>> fwiw.
>>
>> 3.0:
>> debug: URIDNSBL: domains to query:
>>
>> 3.1:
>> debug: uridnsbl: domains to query: crazyrxl0wprices.com
> Any ETA on 3.1 ?
Well it sounds like they're in C-T-R mode now, so not quite
yet, but maybe within the next month or two?
http://wiki.apache.org/spamassassin/DevelopmentMode
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: [SPAM-TAG] SURBL missing this spam
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi Theo,
>> http://crazyrxl0wprices-MUNGED.com:/
>>
>> Maybe that syntax is throwing off SA?
> Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine,
> fwiw.
>
> 3.0:
> debug: URIDNSBL: domains to query:
>
> 3.1:
> debug: uridnsbl: domains to query: crazyrxl0wprices.com
Any ETA on 3.1 ?
Thanks,
Raymond.
RE: [SPAM-TAG] SURBL missing this spam
Posted by martin smith <ma...@ntlworld.com>.
|-----Original Message-----
|From: Duncan Hill [mailto:satalk@nacnud.force9.co.uk]
|Sent: 05 March 2005 15:02
|To: users@spamassassin.apache.org
|Subject: Re: [SPAM-TAG] SURBL missing this spam
|
|On Saturday 05 March 2005 14:49, martin smith wrote:
|> |uri SpoofPort_URL /.*\....:.*|.*\...:.*/ score SpoofPort_URL 1
|>
|> Ok MK2 that one could FP on genuine URLs with a port specified
|>
|> uri SpoofPort_URL /.*\....:.*|.*\...:.*/ score SpoofPort_URL 1 uri
|> OkPort_URL
|> /.*\....:....|.*\...:...../|/.*\....:....\/.*|.*\...:.....\/.*/
|> score OkPort_URL -1
|
|Hmm.. the variant I came up with doesn't use the uri tag, instead:
|body SURBL_DODGE /http(s)?|ftp:\/\/.*:\//
|score SURBL_DODGE 5
|
|The only problem being that it can score on a url like
|http://some.good.site/fred:/
|
|Why someone would have a : in the path or query, I don't know,
|but it's a posssibilty.
Unfortunately that will FP if u have any text after the URL with :/
E.g Take a look at http://some.good.site you never know:/
|
Re: [SPAM-TAG] SURBL missing this spam
Posted by Duncan Hill <sa...@nacnud.force9.co.uk>.
On Saturday 05 March 2005 14:49, martin smith wrote:
> |uri SpoofPort_URL /.*\....:.*|.*\...:.*/ score SpoofPort_URL 1
>
> Ok MK2 that one could FP on genuine URLs with a port specified
>
> uri SpoofPort_URL /.*\....:.*|.*\...:.*/
> score SpoofPort_URL 1
> uri OkPort_URL
> /.*\....:....|.*\...:...../|/.*\....:....\/.*|.*\...:.....\/.*/
> score OkPort_URL -1
Hmm.. the variant I came up with doesn't use the uri tag, instead:
body SURBL_DODGE /http(s)?|ftp:\/\/.*:\//
score SURBL_DODGE 5
The only problem being that it can score on a url like
http://some.good.site/fred:/
Why someone would have a : in the path or query, I don't know, but it's a
posssibilty.
RE: [SPAM-TAG] SURBL missing this spam
Posted by martin smith <ma...@ntlworld.com>.
I managed to write a metarule for anyone interested, to catch a URL with
trailing : without a port specified, without FP on a 4 digit port.
uri __SpoofPort_URL /.*\....:.*|.*\...:.*/
uri __OkPort_URL
/.*\....:[0-9]....|.*\....:[0-9].+\/.*|.*\...:[0-9]....|.*\...:[0-9].+\/.*/
meta Spoof_Port_URL (( __SpoofPort_URL - __OkPort_URL) > 0)
score Spoof_Port_URL 5
describe Spoof_Port_URL URL with trailing : but no port specified
Martin
RE: [SPAM-TAG] SURBL missing this spam
Posted by martin smith <ma...@ntlworld.com>.
|
|uri SpoofPort_URL /.*\....:.*|.*\...:.*/ score SpoofPort_URL 1
|
Ok MK2 that one could FP on genuine URLs with a port specified
uri SpoofPort_URL /.*\....:.*|.*\...:.*/
score SpoofPort_URL 1
uri OkPort_URL
/.*\....:....|.*\...:...../|/.*\....:....\/.*|.*\...:.....\/.*/
score OkPort_URL -1
Sorry for so many posts, this is a learning curve for me, sure this can be
done better possibly with a meta rule but that's getting way too much above
me for now.
This will do till someone comes up with a better rule or fix.
RE: [SPAM-TAG] SURBL missing this spam
Posted by martin smith <ma...@ntlworld.com>.
|-----Original Message-----
|From: martin smith [mailto:marti@ntlworld.com]
|Sent: 05 March 2005 11:41
|To: Spamassassin
|Subject: RE: [SPAM-TAG] SURBL missing this spam
|
|Is there a uri rule we could use to catch e.g. .com: or .uk:
|in the mean time untill 3.1 becomes available, there is a
|posibility other spammers may try using this technique to
|exploit the bug.
|
|I tried uri BadPort_URL /.???:|.??:/ but was an invalid
|regexp, I have never tried to write any rules before so havent
|a clue of the allowed formats, sure its quite simple to those that do.
|I also put this one in but like someone else said this will
|probably now be defunct;
|
|uri Crazy_URL /crazyrxl0wprices.com:/
|score Crazy_URL 10
|
Ok I have done a bit of reading up and got this rule to work, would
appreciate someone to check it over to make sure I havent made a rule that
will FP
uri SpoofPort_URL /.*\....:.*|.*\...:.*/
score SpoofPort_URL 1
Will up the score once I am satisfied I get no FP's
Martin
RE: [SPAM-TAG] SURBL missing this spam
Posted by martin smith <ma...@ntlworld.com>.
|-----Original Message-----
|From: Theo Van Dinter [mailto:felicity@kluge.net]
|Sent: 05 March 2005 01:27
|To: SpamAssassin Users
|Subject: Re: [SPAM-TAG] SURBL missing this spam
|
|On Fri, Mar 04, 2005 at 05:23:35PM -0800, Jeff Chan wrote:
|> Given that it's apparently fixed in 3.1 should we make a bugzilla?
|> Might it be worth reviewing that the expression or code was
|> specifically fixed to explain this (better) behavior?
|> Or would that be unnecessary?
|
|I wouldn't bother with a ticket. We're trying to get 3.1 out
|as opposed to a 3.0.3. I also don't know if the issue is
|simple to fix in 3.0 or not. 3.1 has had a lot of work done
|to it since 3.0. ;)
|
Is there a uri rule we could use to catch e.g. .com: or .uk: in the mean
time untill 3.1 becomes available, there is a posibility other spammers may
try using this technique to exploit the bug.
I tried uri BadPort_URL /.???:|.??:/ but was an invalid regexp, I have never
tried to write any rules before so havent a clue of the allowed formats,
sure its quite simple to those that do.
I also put this one in but like someone else said this will probably now be
defunct;
uri Crazy_URL /crazyrxl0wprices.com:/
score Crazy_URL 10
Martin
Re: [SPAM-TAG] SURBL missing this spam
Posted by Theo Van Dinter <fe...@kluge.net>.
On Fri, Mar 04, 2005 at 05:23:35PM -0800, Jeff Chan wrote:
> Given that it's apparently fixed in 3.1 should we make a
> bugzilla? Might it be worth reviewing that the expression or
> code was specifically fixed to explain this (better) behavior?
> Or would that be unnecessary?
I wouldn't bother with a ticket. We're trying to get 3.1 out as opposed
to a 3.0.3. I also don't know if the issue is simple to fix in 3.0
or not. 3.1 has had a lot of work done to it since 3.0. ;)
--
Randomly Generated Tagline:
Honk if you've been married to Elizabeth Taylor.
Re: [SURBL-Discuss] Re: [SPAM-TAG] SURBL missing this spam
Posted by Jeff Chan <je...@surbl.org>.
On Friday, March 4, 2005, 7:37:45 PM, David Funk wrote:
> On Fri, 4 Mar 2005, Jeff Chan wrote:
>> On Friday, March 4, 2005, 5:12:28 PM, Theo Dinter wrote:
>> > On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote:
>> >> The URI is a little unusual, with a missing port number after the
>> >> colon:
>> >>
>> >> http://crazyrxl0wprices-MUNGED.com:/
>> >>
>> >> Maybe that syntax is throwing off SA?
>>
>> > Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine,
>> > fwiw.
>>
>> > 3.0:
>> > debug: URIDNSBL: domains to query:
>>
>> > 3.1:
>> > debug: uridnsbl: domains to query: crazyrxl0wprices.com
> For those still running SA 2.6* + SpamCopURI-0.22
> The following ONE character patch fixes this bug:
> *** SpamCopURI.pm-orig Thu Aug 5 14:58:59 2004
> --- SpamCopURI.pm Fri Mar 4 21:22:37 2005
> ***************
> *** 276,282 ****
> # URI doesn't always put the port in the right place
> # so we strip it off here
> ! $url{host} =~ s/:[0-9]+$// if $url{host};
> # Cleanup for urls that come in with a dot in the front
> --- 276,282 ----
> # URI doesn't always put the port in the right place
> # so we strip it off here
> ! $url{host} =~ s/:[0-9]*$// if $url{host};
> # Cleanup for urls that come in with a dot in the front
> (IE just change that '+' to a '*' ;)
Yep; zero or more instead of one or more for the port portion.... :-)
I'm pretty sure Eric Kolve is still on this list. Perhaps he
can consider putting your patch into SpamCopURI.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: [SPAM-TAG] SURBL missing this spam
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 4 Mar 2005, Jeff Chan wrote:
> On Friday, March 4, 2005, 5:12:28 PM, Theo Dinter wrote:
> > On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote:
> >> The URI is a little unusual, with a missing port number after the
> >> colon:
> >>
> >> http://crazyrxl0wprices-MUNGED.com:/
> >>
> >> Maybe that syntax is throwing off SA?
>
> > Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine,
> > fwiw.
>
> > 3.0:
> > debug: URIDNSBL: domains to query:
>
> > 3.1:
> > debug: uridnsbl: domains to query: crazyrxl0wprices.com
>
> Thanks Theo,
> Given that it's apparently fixed in 3.1 should we make a
> bugzilla? Might it be worth reviewing that the expression or
> code was specifically fixed to explain this (better) behavior?
> Or would that be unnecessary?
For those still running SA 2.6* + SpamCopURI-0.22
The following ONE character patch fixes this bug:
*** SpamCopURI.pm-orig Thu Aug 5 14:58:59 2004
--- SpamCopURI.pm Fri Mar 4 21:22:37 2005
***************
*** 276,282 ****
# URI doesn't always put the port in the right place
# so we strip it off here
! $url{host} =~ s/:[0-9]+$// if $url{host};
# Cleanup for urls that come in with a dot in the front
--- 276,282 ----
# URI doesn't always put the port in the right place
# so we strip it off here
! $url{host} =~ s/:[0-9]*$// if $url{host};
# Cleanup for urls that come in with a dot in the front
(IE just change that '+' to a '*' ;)
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: [SPAM-TAG] SURBL missing this spam
Posted by Jeff Chan <je...@surbl.org>.
On Friday, March 4, 2005, 5:12:28 PM, Theo Dinter wrote:
> On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote:
>> The URI is a little unusual, with a missing port number after the
>> colon:
>>
>> http://crazyrxl0wprices-MUNGED.com:/
>>
>> Maybe that syntax is throwing off SA?
> Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine,
> fwiw.
> 3.0:
> debug: URIDNSBL: domains to query:
> 3.1:
> debug: uridnsbl: domains to query: crazyrxl0wprices.com
Thanks Theo,
Given that it's apparently fixed in 3.1 should we make a
bugzilla? Might it be worth reviewing that the expression or
code was specifically fixed to explain this (better) behavior?
Or would that be unnecessary?
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: [SPAM-TAG] SURBL missing this spam
Posted by Theo Van Dinter <fe...@kluge.net>.
On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote:
> The URI is a little unusual, with a missing port number after the
> colon:
>
> http://crazyrxl0wprices-MUNGED.com:/
>
> Maybe that syntax is throwing off SA?
Yeah, it does look like a bug somewhere in 3.0.x. 3.1 catches it fine,
fwiw.
3.0:
debug: URIDNSBL: domains to query:
3.1:
debug: uridnsbl: domains to query: crazyrxl0wprices.com
--
Randomly Generated Tagline:
"... and don't we all love Pspice?" - Instructor Dean
Re: [SPAM-TAG] SURBL missing this spam
Posted by Matthew Newton <mc...@leicester.ac.uk>.
On Sat, Mar 05, 2005 at 01:12:54AM +0000, Matthew Newton wrote:
> On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote:
> > The URI is a little unusual, with a missing port number after the
> > colon:
> >
> > http://crazyrxl0wprices-MUNGED.com:/
>
> I can confirm that behaviour here.
>
> http://blocked-domain.com/ is picked up
> http://blocked-domain.com:/ is not picked up
> http://blocked-domain.com:80/ is picked up
Oops... sorry, SpamAssassin 3.0.2
--
Matthew Newton <mc...@le.ac.uk>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
Re: [SPAM-TAG] SURBL missing this spam
Posted by Matthew Newton <mc...@leicester.ac.uk>.
On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote:
> The URI is a little unusual, with a missing port number after the
> colon:
>
> http://crazyrxl0wprices-MUNGED.com:/
I can confirm that behaviour here.
http://blocked-domain.com/ is picked up
http://blocked-domain.com:/ is not picked up
http://blocked-domain.com:80/ is picked up
Matthew
--
Matthew Newton <mc...@le.ac.uk>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
Re: [SPAM-TAG] SURBL missing this spam
Posted by Jeff Chan <je...@surbl.org>.
On Friday, March 4, 2005, 3:47:04 PM, martin smith wrote:
> I must have received this spam 12 times or more in the last 24 hours and
> even though its listed on the SURBL, spamassassin fails to match it against
> them.
> When I submit the spams to spamcop it parses the url everytime.
> SURBL seems to work on all other spams, just wondering if they have found a
> way to avoid spamassassin catching the URL.
> Martin
The URI is a little unusual, with a missing port number after the
colon:
http://crazyrxl0wprices-MUNGED.com:/
Maybe that syntax is throwing off SA?
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/