You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2007/01/22 17:50:25 UTC
[Bug 5302] New: remove asterisks from parsed uris
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
Summary: remove asterisks from parsed uris
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Libraries
AssignedTo: dev@spamassassin.apache.org
ReportedBy: spamassassin@dostech.ca
http://www.fod*rx.com in the body of a mail should result in fodrx.com being
looked up, not fod*rx.com as it is now.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 |P2
Status Whiteboard| |pre-mass-check
------- Additional Comments From jm@jmason.org 2007-01-24 04:35 -------
This would need to be decided and implemented before mass-checks start tomorrow!
I'm inclined to agree with Theo -- WONTFIX, as long as we have a rule in testing
for this (which we do, right? DOS_URI_ASTERISK). otherwise, it'll have to be
hacked out ASAP or deferred.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From felicity@apache.org 2007-01-23 16:42 -------
yeah, I just got one of those as well... in the past, we've decided not to
attempt working on these types of deobfuscation things.
if the user has to jump through several hoops and very specifically unmangle the
url before they can get to the spammer's site, then there's not a lot we can do
to stop them.
in the futile-to-deal-with category, the spam could just as easily have put
numbers or capital letters or underscores or ... we can't try to detect/modify
them all since they could be completely valid.
imo, I'd close as wontfix.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From nj@leverton.org 2007-01-25 05:54 -------
The attachment "Sample legit mail with many strange URLs" FP's on this rule.
I think it is matching the <a href="#anchor"> tags, but I'm not sure the
current RE caters for # anchors even if the URL has a domain name.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From nj@leverton.org 2007-01-25 05:52 -------
Created an attachment (id=3842)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3842&action=view)
Sample legit mail with many strange URLs
Original email address obfuscated.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From nj@leverton.org 2007-01-26 02:01 -------
Yeah sorry Theo, I was working via a very slow tunnel yesterday, and I mixed up
this bug with the thread in SA-users which has a different rule for the same
obfuscation. Sorry for the noise. I'll get this rule out of CVS and try it
instead.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From jm@jmason.org 2007-01-25 05:07 -------
> fwiw, I threw in one too even though I don't think it's going to be useful
> long-term:
>
> 2.934 3.4459 0.0000 1.000 1.00 0.00 TVD_SILLY_URI_OBFU_BODY
> 3.168 3.6221 0.5668 0.865 0.50 0.00 TVD_SILLY_URI_OBFU_URI
> 0.563 0.6531 0.0493 0.930 0.00 0.00 T_DOS_URI_ASTERISK
whoa, 3.44%? nice!
> as for mass-checks, we really need to figure out a way to do rescoring more
> frequently... :)
yeah. I figure we can work that one out post-release... it'll take a while
to work out.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From spamassassin@dostech.ca 2007-01-22 09:20 -------
Created an attachment (id=3835)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3835&action=view)
sample
1 sample from about 100 received in the last 12 hours
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From spamassassin@dostech.ca 2007-01-22 09:25 -------
> if we were to treat that as "www.badsitefoo.com", while the MUA/user treats it
> as "www.badsite", then we're going to be vulnerable to that trick.
Do any MUAs stop at (before) the asterisk? Thunderbird doesn't. I don't have
anything else to try it with at the moment.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From spamassassin@dostech.ca 2007-01-24 23:59 -------
I'm happy with just having a rule to catch it. It probably won't last but I
wouldn't be surprised if it comes back again -- I now recall seeing nearly
identical spams about a year ago.
Currently this is the only spam that I'm getting that scores under 5 with
publicly available rules (OI rep scores are pushing the scores over 5). About
half of them don't hit any DNSBLs (the ones that do score 15+) and I'm receiving
a metric boat load of them.
One thing I do find odd though is that we're doing queries for domains that
contain illegal characters. exam*ple.com can't be registered.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From spamassassin@dostech.ca 2007-01-22 21:35 -------
Created an attachment (id=3836)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3836&action=view)
sample - "replace * with ."
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From shiva@sewingwitch.com 2007-01-24 04:46 -------
Can you simply test if the URI is resolvable as given?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From shiva@sewingwitch.com 2007-01-24 04:49 -------
Woops, only read the last comment before posting.
Mulberry 3.1.6 for Win32 displays the whole URL with asterisk as clickable. I'll
have to check the latest release later. (I have that installed at the office.)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From jm@jmason.org 2007-01-25 10:31 -------
ok, mass-checks have started, and the rules are in SVN; let's mark this
as WONTFIX for the remainder.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From jm@jmason.org 2007-01-22 09:07 -------
I'm not 100% sure if it should... what about
http://www.badsite*foo.com
a spammer could register badsite.com, and count on MUAs recognising that URL (up
to but not including the *), and appending ".com" to "http://www.badsite"
implicitly when the user attempts to click the URL.
if we were to treat that as "www.badsitefoo.com", while the MUA/user treats it
as "www.badsite", then we're going to be vulnerable to that trick.
(btw it might be handy to attach a copy of the spam, fwiw.)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From tech2@i-is.com 2007-01-22 09:43 -------
OE6 on XPSP2 tries to resolve the entire string as you pasted. The Bat
(current) does the same thing.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From spamassassin@dostech.ca 2007-01-22 11:14 -------
> you're getting that many? wow. fwiw, I've just checked and I'm getting them
> too. none of these have been marked as ham though... ;)
Across 5 accounts, yeah lots, although it seems to have stopped for now. Most
of them are showing up before the IPs hit XBL and SpamCop.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From felicity@apache.org 2007-01-25 07:21 -------
(In reply to comment #17)
> The attachment "Sample legit mail with many strange URLs" FP's on this rule.
> I think it is matching the <a href="#anchor"> tags, but I'm not sure the
> current RE caters for # anchors even if the URL has a domain name.
Which rule?
[24521] dbg: check:
tests=FH_HOST_EQ_D_D_D_D,FM_SEX_HOSTDDDD,HTML_MESSAGE,MIME_HTML_ONLY,T__FRAUD_DBI,T__FRAUD_DBI_1,T__FRAUD_DBI_2,T__FRAUD_DBI_3,T__FRAUD_DBI_4,T__FRAUD_DBI_5,T__FRAUD_DBI_7
I don't see either of the rules discussed in there.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From spamassassin@dostech.ca 2007-01-22 09:35 -------
Oh yeah... I'd still do the fod*rx.com lookup in addition to a fodrx.com lookup.
A casual glance at a packet dump tells me that both Bind and Microsoft's DNS
service resolvers will handle the fod*rx.com query anyway, so this might be
listable (making this bug a non-issue). I have no idea if rbldnsd or Bind will
accept it in a zone file though.
Also... if MUAs do in fact stop at (before) the asterisk, we don't current
handle that (badsite.com isn't looked up in the comment #1 example). So in one
way or another, we're open to something here.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
nj@leverton.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nj@leverton.org
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From jm@jmason.org 2007-01-22 10:59 -------
you're getting that many? wow. fwiw, I've just checked and I'm getting them
too. none of these have been marked as ham though... ;)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
0.0 T_FH_RELAY_NODNS We could not determine your Reverse DNS
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?201.161.175.18>]
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[201.161.175.18 listed in zen.spamhaus.org]
0.0 T_RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[201.161.175.18 listed in sbl-xbl.spamhaus.org]
1.0 FM_RE_HELLO_SPAM Re: Hello / hi
1.7 FAKE_REPLY_C FAKE_REPLY_C
this is the spammer using this trait:
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
note the repeated version numbers -- quite distinctive.
unfortunately I haven't made a good rule for that yet -- it does crop up in ham
occasionally...
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From felicity@apache.org 2007-01-24 18:05 -------
(In reply to comment #10)
> I'm inclined to agree with Theo -- WONTFIX, as long as we have a rule in testing
> for this (which we do, right? DOS_URI_ASTERISK). otherwise, it'll have to be
> hacked out ASAP or deferred.
fwiw, I threw in one too even though I don't think it's going to be useful
long-term:
2.934 3.4459 0.0000 1.000 1.00 0.00 TVD_SILLY_URI_OBFU_BODY
3.168 3.6221 0.5668 0.865 0.50 0.00 TVD_SILLY_URI_OBFU_URI
0.563 0.6531 0.0493 0.930 0.00 0.00 T_DOS_URI_ASTERISK
as for mass-checks, we really need to figure out a way to do rescoring more
frequently... :)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
------- Additional Comments From felicity@apache.org 2007-01-29 14:45 -------
fwiw, both daryll and myself put in test rules. I ended up promoting mine
because the FP rate went to 0:
0.328 0.3857 0.0109 0.973 0.76 0.00 DOS_URI_ASTERISK
0.256 0.3023 0.0000 1.000 0.73 0.00 T_TVD_SILLY_URI_OBFU3
:)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5302] remove asterisks from parsed uris
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5302
spamassassin@dostech.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|Undefined |3.2.0
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.