You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jack Pepper <pe...@autoshun.org> on 2008/04/15 19:24:52 UTC
Need help with bobax rules
This info popped up on the emerging-Threats list. I have watched our
mail servers and have confirmed that it works.
The problem is that my attempts to create Spamassin rules for it never
fire off. Can I get some tutelage from the list on creating rules for
these unique conditions:
> Message IDs randomized, but always the same length per field, and
> uses "Message-Id" instead of "Message-ID":
>
> Message-Id: <28...@KMYR>
> Message-Id: <00...@GEWN>
> Message-Id: <53...@HLOX>
> Message-Id: <96...@TSRC>
> Message-Id: <93...@XOZO>
> Message-Id: <58...@DPJF>
> Message-Id: <57...@MQBI>
> Message-Id: <38...@ULHA>
> Message-Id: <91...@NZOD>
> Message-Id: <94...@JECL>
>
> Intel from Joe Stewart at Secureworks.
>
> Message-Id capitalized incorrectly, and EJXVWDA appears in the
> middle of the random prefix:
>
> Message-Id: <1I...@charlxxxxxxnix.com>
> Message-Id: <0I...@thaxxxxxxxuy.com>
> Message-Id: <0I...@bxxxe.org>
> Message-Id: <8I...@filmxxxxxtral.net>
> Message-Id: <5I...@stephxxxxxxld.org>
> Message-Id: <4I...@reXxxxxght.com>
> Message-Id: <1I...@uxxxxxt.com>
> Message-Id: <9I...@nexxxxble.com>
>
> Intel from Joe Stewart at Secureworks.
>
> First group increments over time. Last group is the IP in hex backwards.
> Like so:
>
> Message-ID: 05b601c8992a$084895f0$1802a8c0@computername
> Message-ID: 05bd01c8992a$08608ac0$1802a8c0@computername
> Message-ID: 05cb01c8992a$087d1370$1802a8c0@computername
> Message-ID: 05e701c8992a$08a7f400$1802a8c0@computername
> Message-ID: 05d901c8992a$088ddc50$1802a8c0@computername
> Message-ID: 05e001c8992a$08902640$1802a8c0@computername
> Message-ID: 05d201c8992a$087d1370$1802a8c0@computername
> Message-ID: 060a01c8992a$09de0300$1802a8c0@computername
> Message-ID: 061101c8992a$09f5d0c0$1802a8c0@computername
> Message-ID: 061801c8992a$0a0d9e80$1802a8c0@computername
>
> Thanks again to Joe Stewart for the intel!
Any thing that hits is generated by bobax/kraken/oderoor and can be dropped.
jp
--
Framework? I don't need no steenking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
Re: Need help with bobax rules
Posted by Jeremy Fairbrass <je...@fairbrass.co.nz>.
Are Henry's versions of these rules different to what Jack posted below, and if so, where can I find them? I'm still running SA
3.1.8 (unable to upgrade yet) so I wouldn't receive them if you've pushed them to the 3.2 sa-update.
Cheers,
Jeremy
"Justin Mason" <jm...@jmason.org> wrote in message news:20080416131651.3BD0F30C3B4@jmason.org...
>
> for what it's worth, I just pushed Henry's version of Joe's rules into the
> 3.2.x sa-updates.
>
> --j.
>
> Jack Pepper writes:
>> Quoting Jeremy Fairbrass <gm...@jeremy.fairbrass.co.nz>:
>>
>> > HI Jack,
>> > Any chance of sharing your rules for this?!
>> >
>> > Cheers,
>> > Jeremy
>>
>> Sure:
>>
>> score BOBAX_GEN_SPAM_2 1.800
>> header BOBAX_GEN_SPAM_2 ALL =~
>> /^Message-Id:.*[0-9]{4}D[0-9]{3}\.[0-9]{6}\.[0-9]{5}\@[A-Z]{4}/m
>> describe BOBAX_GEN_SPAM_2 Has Bobax Generated Message-Id, type 2
>>
>> score BOBAX_GEN_SPAM 1.800
>> header BOBAX_GEN_SPAM ALL =~ /^Message-Id:.*EJXVWDA/m
>> describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id
>>
>> One fellow suggested that it might be more efficient to do this:
>>
>> score BOBAX_GEN_SPAM 1.800
>> header BOBAX_GEN_SPAM Message-ID =~ /EJXVWDA/m
>> describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id
>>
>> but I wasn't sure if SA would detect that the incorrect case on the
>> word "message-id" and then not realize the test, etc. Any suggestions?
>>
>> jp
>>
>> --
>> Framework? I don't need no steenking framework!
>>
>> ----------------------------------------------------------------
>> @fferent Security Labs: Isolate/Insulate/Innovate
>> http://www.afferentsecurity.com
>
Re: Need help with bobax rules
Posted by Jack Pepper <pe...@autoshun.org>.
Quoting Jeremy Fairbrass <gm...@jeremy.fairbrass.co.nz>:
> HI Jack,
> Any chance of sharing your rules for this?!
>
> Cheers,
> Jeremy
Sure:
score BOBAX_GEN_SPAM_2 1.800
header BOBAX_GEN_SPAM_2 ALL =~
/^Message-Id:.*[0-9]{4}D[0-9]{3}\.[0-9]{6}\.[0-9]{5}\@[A-Z]{4}/m
describe BOBAX_GEN_SPAM_2 Has Bobax Generated Message-Id, type 2
score BOBAX_GEN_SPAM 1.800
header BOBAX_GEN_SPAM ALL =~ /^Message-Id:.*EJXVWDA/m
describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id
One fellow suggested that it might be more efficient to do this:
score BOBAX_GEN_SPAM 1.800
header BOBAX_GEN_SPAM Message-ID =~ /EJXVWDA/m
describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id
but I wasn't sure if SA would detect that the incorrect case on the
word "message-id" and then not realize the test, etc. Any suggestions?
jp
--
Framework? I don't need no steenking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
Re: Need help with bobax rules
Posted by Jeremy Fairbrass <gm...@jeremy.fairbrass.co.nz>.
HI Jack,
Any chance of sharing your rules for this?!
Cheers,
Jeremy
"Jack Pepper" <pe...@autoshun.org> wrote in message news:20080415122452.73cca08wpc80kk0c@mail.afferentsecurity.com...
This info popped up on the emerging-Threats list. I have watched our
mail servers and have confirmed that it works.
The problem is that my attempts to create Spamassin rules for it never
fire off. Can I get some tutelage from the list on creating rules for
these unique conditions:
> Message IDs randomized, but always the same length per field, and
> uses "Message-Id" instead of "Message-ID":
>
> Message-Id: <28...@KMYR>
> Message-Id: <00...@GEWN>
> Message-Id: <53...@HLOX>
> Message-Id: <96...@TSRC>
> Message-Id: <93...@XOZO>
> Message-Id: <58...@DPJF>
> Message-Id: <57...@MQBI>
> Message-Id: <38...@ULHA>
> Message-Id: <91...@NZOD>
> Message-Id: <94...@JECL>
>
> Intel from Joe Stewart at Secureworks.
>
> Message-Id capitalized incorrectly, and EJXVWDA appears in the
> middle of the random prefix:
>
> Message-Id: <1I...@charlxxxxxxnix.com>
> Message-Id: <0I...@thaxxxxxxxuy.com>
> Message-Id: <0I...@bxxxe.org>
> Message-Id: <8I...@filmxxxxxtral.net>
> Message-Id: <5I...@stephxxxxxxld.org>
> Message-Id: <4I...@reXxxxxght.com>
> Message-Id: <1I...@uxxxxxt.com>
> Message-Id: <9I...@nexxxxble.com>
>
> Intel from Joe Stewart at Secureworks.
>
> First group increments over time. Last group is the IP in hex backwards.
> Like so:
>
> Message-ID: 05b601c8992a$084895f0$1802a8c0@computername
> Message-ID: 05bd01c8992a$08608ac0$1802a8c0@computername
> Message-ID: 05cb01c8992a$087d1370$1802a8c0@computername
> Message-ID: 05e701c8992a$08a7f400$1802a8c0@computername
> Message-ID: 05d901c8992a$088ddc50$1802a8c0@computername
> Message-ID: 05e001c8992a$08902640$1802a8c0@computername
> Message-ID: 05d201c8992a$087d1370$1802a8c0@computername
> Message-ID: 060a01c8992a$09de0300$1802a8c0@computername
> Message-ID: 061101c8992a$09f5d0c0$1802a8c0@computername
> Message-ID: 061801c8992a$0a0d9e80$1802a8c0@computername
>
> Thanks again to Joe Stewart for the intel!
Any thing that hits is generated by bobax/kraken/oderoor and can be dropped.
jp
--
Framework? I don't need no steenking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
Re: Need help with bobax rules
Posted by Jack Pepper <pe...@autoshun.org>.
I guess I don't need those rules. I see now that INVALID_MSGID was
already catching them.
apologies for the noise on the list.
jp
--
Framework? I don't need no steenking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com