You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2007/02/05 22:51:47 UTC
Re: Obfuscated URL detection via DNS
- (a) It provides an easy way for a spammer to tell if a piece of mail
passes through a SpamAssassin filter, by monitoring hits on their NS.
- (b) it's pretty common in some groups to mail around unregistered
domains/unresolvable hostnames/XML DTD locations/etc.
--j.
John D. Hardin writes:
> How about this for testing whether a URL is obfuscated: just see if
> the host resolves via DNS?
>
> Pros:
>
> No complex REs needed.
>
> No more playing whack-a-mole chasing new obfuscation mechanisms.
>
>
> Cons:
>
> A DNS lookup.
>
> It won't catch obfuscation in the filepath part. (But then, the reason
> for the obfuscation is to avoid URIBLs, which don't use the filepath
> part...)
>
> It may subject you to DNS cache poisoning.
>
>
> Do the pros outweigh the cons?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Gun control is marketed to the public with the idea that violent
> criminals will obey the law. This is an appealing delusion.
> -----------------------------------------------------------------------
> 7 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays
Re: Obfuscated URL detection via DNS
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On Monday, February 05, 2007 9:51 PM +0000 Justin Mason <jm...@jmason.org>
wrote:
> - (a) It provides an easy way for a spammer to tell if a piece of mail
> passes through a SpamAssassin filter, by monitoring hits on their NS.
You could give the URIBL rules first shot at the raw name, then invoke the
normal lookup only if those don't get a hit.
> - (b) it's pretty common in some groups to mail around unregistered
> domains/unresolvable hostnames/XML DTD locations/etc.
Yep, that's a hard one.
Re: Obfuscated URL detection via DNS
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On Tuesday, February 06, 2007 8:49 PM +1300 Jason Haar
<Ja...@trimble.co.nz> wrote:
> Hmm - I would assume the opposite. Most people would run SA in DMZes
> wouldn't they? And most DMZ design philosophies are that DMZ hosts
> should attempt to have near-zero access to internal resources. i.e. no
> internal DNS.
Why would you be sending internal domain names through your external SA? If
you send to another internal user who might use a VPN from outside, you
still send to his internal address.
Re: Obfuscated URL detection via DNS
Posted by Jason Haar <Ja...@trimble.co.nz>.
John D. Hardin wrote:
>> - (b) it's pretty common in some groups to mail around unregistered
>> domains/unresolvable hostnames/XML DTD locations/etc.
>>
>
> I would assume that your SA host has visibility to your internal
> DNS...
>
Hmm - I would assume the opposite. Most people would run SA in DMZes
wouldn't they? And most DMZ design philosophies are that DMZ hosts
should attempt to have near-zero access to internal resources. i.e. no
internal DNS.
That's certainly the case for us...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Obfuscated URL detection via DNS
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 5 Feb 2007, Justin Mason wrote:
> - (a) It provides an easy way for a spammer to tell if a piece of mail
> passes through a SpamAssassin filter, by monitoring hits on their NS.
They will also get hits from people following the URL. Maybe this will
help to pollute their databases with a lot of false positives, and
reduce the value of such tracking.
DNS caching affects this, unless they intentionally set a very short
TTL.
> - (b) it's pretty common in some groups to mail around unregistered
> domains/unresolvable hostnames/XML DTD locations/etc.
I would assume that your SA host has visibility to your internal
DNS...
Okay, add support for a list of domain names that it wouldn't try to
resolve, and would score zero for.
> John D. Hardin writes:
> > How about this for testing whether a URL is obfuscated: just see if
> > the host resolves via DNS?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun control is marketed to the public with the idea that violent
criminals will obey the law. This is an appealing delusion.
-----------------------------------------------------------------------
7 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays