You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Philip Prindeville <ph...@redfish-solutions.com> on 2014/06/06 23:32:26 UTC
Can't keep up with spam from SolarVPS sites
We’re getting a lot of spam that contains URL’s which look like (remove the ####):
http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
http://ihn####yc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
http://iea####to.com/whos/be2aaf2163fd72c9975ec76b00288831
http://cp.mk-k####bcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f
http://ifs####pc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
http://nig####gu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share?
The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18.
Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet?
Thanks,
-Philip
Re: Can't keep up with spam from SolarVPS sites
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 6/7/2014 3:31 AM, David B Funk wrote:
> This does require
> some baby-sitting as it will get traffic that is the results of a real
> human
> fat-fingering a legit recipient.
Perhaps use just subdomains then? Such as
venusflytrap@invalid.uiowa.edu to eliminate the risk of legit
fat-fingered email.
Regards,
KAM
Re: Can't keep up with spam from SolarVPS sites
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 6 Jun 2014, lucas k wrote:
> I'm having the exact opposite problem. I've created several new addresses
> that i'm hoping to get clogged up with spam so that I can have a fluid target
> to write rules against, but so far... nothing.
>
> craig@dioxidized, where i posted a bunch of ads on craigslist with the
> address exposed has not gotten anyhting in 48 hours.
>
> red@dioxidized, where teh same thing was done on reddit, nothing.
>
> posted a few addresses in pastebin in hopes that bots might find them
>
> So, does anyone have any idea how to get a freshly made email address to get
> clogged with spam in the shortest amount of time?
>
> Many thanks!
>
> Oh, and just joining the list, glad to see that there's a community here!
>
> Lucas
Put some hidden 'mailto:' links on pages on a web-site that is regularly
crawled (IE 'mailto:'s that have no label so human visitors won't see them).
If you have control over the mailserver for a small business set up a
'luser_relay' to collect messages to invalid recipients. This does require
some baby-sitting as it will get traffic that is the results of a real human
fat-fingering a legit recipient.
The absolute best method that I've found is to respond to the "unsubscribe"
links in spam but fill in your spam-trap address to be "unsubscribed".
Sometimes that method will get results within a few hours, some of my
spam-trap addresses are still getting traffic 10 -years- after being
"unsubscribed".
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Can't keep up with spam from SolarVPS sites
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2014-06-06 at 22:34 -0400, lucas k wrote:
> I'm having the exact opposite problem. I've created several new
> addresses that i'm hoping to get clogged up with spam so that I can have
> a fluid target to write rules against, but so far... nothing.
>
> craig@dioxidized, where i posted a bunch of ads on craigslist with the
> address exposed has not gotten anyhting in 48 hours.
48 hours. No, I wouldn't expect spam in that short a time frame. Spam
(bot) networks need to pick up fresh addresses, distribute them, then
eventually use them.
I am still getting spam with addresses out-of-business for years. Most
spammers (especially botnet based) don't care for SMTP reject. Invalid
addressed rarely phase out.
Adding new addresses might take time, too. First, they need to be
discovered. (Who told you spammers are specifically harvesting
craigslist?) Then, the new addresses need to be distributed for bots to
actually use them.
I am *still* getting Mydoom virus infected messages. What does that tell
you about blackhats and being up-to-date?
> So, does anyone have any idea how to get a freshly made email address to
> get clogged with spam in the shortest amount of time?
If the domain is not fresh and there are users getting spam, a catch-all
address could help. You will even see spam to "thisisjusttest@".
However, legitimate senders will NOT be informed, in case they mis-typed
the recipient address. Even worse, that mail would end up in your
catch-all bin. Use with care.
> Many thanks!
>
> Oh, and just joining the list, glad to see that there's a community here!
There is indeed. I recommend "active lurking", lots of good advice,
hints and education, even if not (yet) perceived as a personal issue.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
Posted by Axb <ax...@gmail.com>.
On 06/07/2014 04:34 AM, lucas k wrote:
>
> So, does anyone have any idea how to get a freshly made email address to
> get clogged with spam in the shortest amount of time?
It always depends what kind of spam you want to attract.
Spam traps are like good wine, they need to age.
Google around and you'll find lots of methods.
a handful of "freshly made email address" won't instantly solve your
problem - you may need tens/hundreds/or_more domains to give you a wide
enough scope of spam types to avoid duplicating efforts.
You need patience and creativity. Different methods attract different
spammers.
Re: Can't keep up with spam from SolarVPS sites
Posted by lucas k <lu...@dioxidized.com>.
I'm having the exact opposite problem. I've created several new
addresses that i'm hoping to get clogged up with spam so that I can have
a fluid target to write rules against, but so far... nothing.
craig@dioxidized, where i posted a bunch of ads on craigslist with the
address exposed has not gotten anyhting in 48 hours.
red@dioxidized, where teh same thing was done on reddit, nothing.
posted a few addresses in pastebin in hopes that bots might find them
So, does anyone have any idea how to get a freshly made email address to
get clogged with spam in the shortest amount of time?
Many thanks!
Oh, and just joining the list, glad to see that there's a community here!
Lucas
On 06/06/2014 05:32 PM, Philip Prindeville wrote:
> We’re getting a lot of spam that contains URL’s which look like (remove the ####):
>
> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> http://ihn####yc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> http://iea####to.com/whos/be2aaf2163fd72c9975ec76b00288831
>
> http://cp.mk-k####bcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f
>
> http://ifs####pc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> http://nig####gu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share?
>
> The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18.
>
> Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet?
>
> Thanks,
>
> -Philip
>
Re: Can't keep up with spam from SolarVPS sites
Posted by John Hardin <jh...@impsec.org>.
On Fri, 6 Jun 2014, Philip Prindeville wrote:
> We’re getting a lot of spam that contains URL’s which look like (remove the ####):
>
> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> http://ihn####yc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> http://iea####to.com/whos/be2aaf2163fd72c9975ec76b00288831
>
> http://cp.mk-k####bcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f
>
> http://ifs####pc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> http://nig####gu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share?
While "URL with long string of gibberish" is a reliable sign for
tracking it's not a reliable sign for spam. A lot of legitimate mailing
lists and newsletters and such have similar URLs.
> The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18.
>
> Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet?
You could set up a local authoritative DNS zone for a DNSBL, put the IP
ranges into it, and add a URIDNSBL check rule pointing at your DNS server
as the DNSBL host, but I don't think there's a way to do it by putting a
netblock explicitly into a rule. That seems to me like a plausible
extension of the URIDNSBL plugin, but it would be a pain to maintain the
rules. Setting up a local DNSBL would be better in the long run, I think.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The more you believe you can create heaven on earth the more
likely you are to set up guillotines in the public square to
hasten the process. -- James Lileks
-----------------------------------------------------------------------
Today: the 70th anniversary of D-Day
Re: Can't keep up with spam from SolarVPS sites
Posted by Amir Caspi <ce...@3phase.com>.
On Jun 9, 2014, at 7:11 PM, David B Funk <db...@engineering.uiowa.edu> wrote:
> Just beware of FPs, I've seen some ugly URLs from things like airline
> reservation confirmations. (spammers are getting better at stealing
> features from legit messages to protect their garbage).
FWIW, I haven't had a single FP on that or any of my other AC rules... but, that's only been tested on ham and spam for myself and my limited user base. An FP could, in principle, happen.
> Also be aware that you cannot set the score for the rule __AC_LONGSTRS_URI
> at all (as it's an "indirect" rule and thus scoreless), you'll either
> have to rename it or use it in a meta rule.
Indeed, I use this as part of a meta for AC_SPAMMY_URIs, so if you're using it standalone, remove the underscores.
--- Amir
Re: Can't keep up with spam from SolarVPS sites
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Mon, 9 Jun 2014, Amir Caspi wrote:
> On Jun 9, 2014, at 4:25 PM, John Hardin <jh...@impsec.org> wrote:
>
>> On Mon, 9 Jun 2014, Philip Prindeville wrote:
>>
>>>>>>> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>>
>> If it's in an HTML anchor tag the URL itself isn't in the "body" text, only the display label will be.
>>
>> Try a "uri" rule.
>
> This URL is already in my "AC_SPAMMY_URI" template group, though I don't know if this particular one has been released or not (I never sent an update since the first batch a few months ago), and even if so the current version would not have caught it due to being a bit too restrictive.
>
> Try this:
>
> uri __AC_LONGSTRS_URI /\/[0-9]{8}(?:\/[a-z0-9_~]{50,}){3}\b/
>
> Score as desired (I assign 3 points to all AC_SPAMMY_URI templates, but the released ones score differently).
>
> --- Amir
Just beware of FPs, I've seen some ugly URLs from things like airline
reservation confirmations. (spammers are getting better at stealing
features from legit messages to protect their garbage).
Also be aware that you cannot set the score for the rule __AC_LONGSTRS_URI
at all (as it's an "indirect" rule and thus scoreless), you'll either
have to rename it or use it in a meta rule.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Can't keep up with spam from SolarVPS sites
Posted by Amir Caspi <ce...@3phase.com>.
On Jun 9, 2014, at 4:25 PM, John Hardin <jh...@impsec.org> wrote:
> On Mon, 9 Jun 2014, Philip Prindeville wrote:
>
>>>>>> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> If it's in an HTML anchor tag the URL itself isn't in the "body" text, only the display label will be.
>
> Try a "uri" rule.
This URL is already in my "AC_SPAMMY_URI" template group, though I don't know if this particular one has been released or not (I never sent an update since the first batch a few months ago), and even if so the current version would not have caught it due to being a bit too restrictive.
Try this:
uri __AC_LONGSTRS_URI /\/[0-9]{8}(?:\/[a-z0-9_~]{50,}){3}\b/
Score as desired (I assign 3 points to all AC_SPAMMY_URI templates, but the released ones score differently).
--- Amir
Re: Can't keep up with spam from SolarVPS sites
Posted by Philip Prindeville <ph...@redfish-solutions.com>.
On Jun 9, 2014, at 4:25 PM, John Hardin <jh...@impsec.org> wrote:
> On Mon, 9 Jun 2014, Philip Prindeville wrote:
>
>>>>>> We’re getting a lot of spam that contains URL’s which look like (remove the ####):
>>>>>>
>>>>>> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>>
>> BTW, I found that the last N characters of the above URL’s were always the same, and tried to do a “body” rule based on those last N characters, but I couldn’t get the rule to match.
>>
>> Still not sure why. The entire <a ...> sequence is only 382 characters long.
>>
>> Any ideas?
>
> If it's in an HTML anchor tag the URL itself isn't in the "body" text, only the display label will be.
>
> Try a "uri" rule.
Thanks, that did it.
-Philip
Re: Can't keep up with spam from SolarVPS sites
Posted by John Hardin <jh...@impsec.org>.
On Mon, 9 Jun 2014, Philip Prindeville wrote:
>>>>> We’re getting a lot of spam that contains URL’s which look like (remove the ####):
>>>>>
>>>>> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
> BTW, I found that the last N characters of the above URL’s were always
> the same, and tried to do a “body” rule based on those last N
> characters, but I couldn’t get the rule to match.
>
> Still not sure why. The entire <a ...> sequence is only 382 characters
> long.
>
> Any ideas?
If it's in an HTML anchor tag the URL itself isn't in the "body" text,
only the display label will be.
Try a "uri" rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws cannot reduce violent crime, because gun control
laws focus obsessively on a tool a criminal might use to commit a
crime rather than the criminal himself and his act of violence.
-----------------------------------------------------------------------
739 days since the first successful private support mission to ISS (SpaceX)
Re: Can't keep up with spam from SolarVPS sites
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Tue, 10 Jun 2014, Axb wrote:
> On 06/10/2014 12:17 AM, Philip Prindeville wrote:
>>>>
>>>> nope... wiht robldnsd you set your BL zone to use the ip4trie
>>>> dataset
>>>>
>>>> which as perhttp://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html
>>>>
>>>> ip4trie Dataset Set of IP4 CIDR ranges with corresponding (A,
>>>> TXT) values. This dataset is similar to ip4set, but uses a
>>>> different internal representation. It accepts CIDR ranges only
>>>> (not a.b.c.d−e.f.g.h), and allows for the specification of A/TXT
>>>> values on a per CIDR range basis. (If multiple CIDR ranges match
>>>> a query, the value for longest matching prefix is returned.)
>>>> Exclusions are supported too.
>>
>> Okay, and what would 65.181.64.0/18 look like as a BIND RR? I wasn’t
>> able to infer this from the documentation you pointed at.
>
> no idea... I don't use Bind.
>
> rbldnsd (the "industry standard") is way more efficient and lightweight
> designed especially for "dnsbl" usage.
BIND always breaks its reverse maps on class /C octet boundaries so to
represent 65.181.64.0/18 you'd have to utilize 64 class /C zones.
Having run a RBL with BIND and then moved to rbldnsd, I agree completely
with Axb. rbldnsd -is- the way to go. If you need the power and configurability
of BIND, then put it in front of rbldnsd, but use rbldnsd for the actual zone
data.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Can't keep up with spam from SolarVPS sites
Posted by Axb <ax...@gmail.com>.
On 06/10/2014 12:17 AM, Philip Prindeville wrote:
>>>
>>> nope... wiht robldnsd you set your BL zone to use the ip4trie
>>> dataset
>>>
>>> which as perhttp://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html
>>>
>>> ip4trie Dataset Set of IP4 CIDR ranges with corresponding (A,
>>> TXT) values. This dataset is similar to ip4set, but uses a
>>> different internal representation. It accepts CIDR ranges only
>>> (not a.b.c.d−e.f.g.h), and allows for the specification of A/TXT
>>> values on a per CIDR range basis. (If multiple CIDR ranges match
>>> a query, the value for longest matching prefix is returned.)
>>> Exclusions are supported too.
>
> Okay, and what would 65.181.64.0/18 look like as a BIND RR? I wasn’t
> able to infer this from the documentation you pointed at.
no idea... I don't use Bind.
rbldnsd (the "industry standard") is way more efficient and lightweight
designed especially for "dnsbl" usage.
Re: Can't keep up with spam from SolarVPS sites
Posted by Philip Prindeville <ph...@redfish-solutions.com>.
On Jun 9, 2014, at 3:10 PM, Axb <ax...@gmail.com> wrote:
> On 06/09/2014 11:03 PM, Philip Prindeville wrote:
>>
>> On Jun 6, 2014, at 3:50 PM, Axb <ax...@gmail.com> wrote:
>>
>>> If you have to post a spam sample, pls use pastebin and post the full msg
>>>
>>> On 06/06/2014 11:32 PM, Philip Prindeville wrote:
>>>> We’re getting a lot of spam that contains URL’s which look like (remove the ####):
>>>>
>>>> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>>>
>>>> Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share?
>>>
>>> Pls note than any rule shared via lists usually looses its teeth within a few hours .-)
>>
>> Well, it depends on the nature of the rule… Some characteristics are less fungible than others.
BTW, I found that the last N characters of the above URL’s were always the same, and tried to do a “body” rule based on those last N characters, but I couldn’t get the rule to match.
Still not sure why. The entire <a ...> sequence is only 382 characters long.
Any ideas?
>>
>>
>>>
>>>>
>>>> The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18.
>>>>
>>>> Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet?
>>>
>>> Yes, there is:
>>>
>>> run a local A record blacklist with rbldnsd
>>>
>>> 65.181.64.0/18
>>>
>>> and a rule like, for example:
>>>
>>> uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2
>>> body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL')
>>> describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL
>>> score YOUR_A_URIBL 5.0
>>> tflags YOUR_A_URIBL net a
>>>
>>>
>>
>>
>> If I used local A records, for a /18 network, I’d need all 2^14 records, right?
>>
>> Because a lookup is always on a full dotted-quad (in reverse order)…
>
>
> nope... wiht robldnsd you set your BL zone to use the ip4trie dataset
>
> which as per http://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html
>
> ip4trie Dataset
> Set of IP4 CIDR ranges with corresponding (A, TXT) values. This dataset is similar to ip4set, but uses a different internal representation. It accepts CIDR ranges only (not a.b.c.d−e.f.g.h), and allows for the specification of A/TXT values on a per CIDR range basis. (If multiple CIDR ranges match a query, the value for longest matching prefix is returned.) Exclusions are supported too.
Okay, and what would 65.181.64.0/18 look like as a BIND RR? I wasn’t able to infer this from the documentation you pointed at.
>
>>
>> I tried using multi.uribl.com and couldn’t get this to work.
>>
>> I had:
>>
>> urirhssub L_URIBL_BLACK multi.uribl.com. A 2
>> body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK')
>> describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist
>> tflags L_URIBL_BLACK net
>> score L_URIBL_BLACK 20.0
>
> URIBL is enabled by default in SA - no need to add extra rules.
>
>>
>> set, and also:
>>
>> skip_rbl_checks 0
>>
>> at the end of /etc/mail/spamassassin/sa-mimedefang.cf set.
>>
>> Running this over the message in a file:
>>
>> spamassassin -t --lint -D < /tmp/cable.eml
>>
>> I get:
>>
>> …
>> Jun 9 14:57:13.029 [32297] dbg: rules: compiled meta tests
>> Jun 9 14:57:13.032 [32297] dbg: check: is spam? score=-2.348 required=5
>> Jun 9 14:57:13.032 [32297] dbg: check: tests=L_EMPTY_SENDER,MISSING_DATE,MISSING_HEADERS,NO_RECEIVED,NO_RELAYS
>> Jun 9 14:57:13.032 [32297] dbg: check: subtests=__BODY_TEXT_LINE,__EMPTY_BODY,__EMPTY_SENDER,__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__L_UNDISCLOSED2,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__NOT_SPOOFED,__SANE_MSGID,__TO_NO_ARROWS_R,__UNUSABLE_MSGID
>> Jun 9 14:57:13.033 [32297] dbg: timing: total 1908 ms - init: 1384 (72.5%), parse: 1.17 (0.1%), extract_message_metadata: 11 (0.6%), get_uri_detail_list: 1.06 (0.1%), tests_pri_-1000: 9 (0.5%), compile_gen: 202 (10.6%), compile_eval: 37 (1.9%), tests_pri_-950: 6 (0.3%), tests_pri_-900: 7 (0.4%), tests_pri_-400: 6 (0.3%), tests_pri_0: 404 (21.2%), tests_pri_500: 75 (3.9%)
>>
>>
>> so I’m not sure why it’s failing to find nqtel.com in the uribl.com database.
>> What am I missing?
>
> --lint doesn't do network tests
>
Okay, taking out --lint changed the results.
Thanks,
-Philip
Re: Can't keep up with spam from SolarVPS sites
Posted by Axb <ax...@gmail.com>.
On 06/09/2014 11:03 PM, Philip Prindeville wrote:
>
> On Jun 6, 2014, at 3:50 PM, Axb <ax...@gmail.com> wrote:
>
>> If you have to post a spam sample, pls use pastebin and post the full msg
>>
>> On 06/06/2014 11:32 PM, Philip Prindeville wrote:
>>> We’re getting a lot of spam that contains URL’s which look like (remove the ####):
>>>
>>> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>>
>>> Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share?
>>
>> Pls note than any rule shared via lists usually looses its teeth within a few hours .-)
>
> Well, it depends on the nature of the rule… Some characteristics are less fungible than others.
>
>
>>
>>>
>>> The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18.
>>>
>>> Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet?
>>
>> Yes, there is:
>>
>> run a local A record blacklist with rbldnsd
>>
>> 65.181.64.0/18
>>
>> and a rule like, for example:
>>
>> uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2
>> body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL')
>> describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL
>> score YOUR_A_URIBL 5.0
>> tflags YOUR_A_URIBL net a
>>
>>
>
>
> If I used local A records, for a /18 network, I’d need all 2^14 records, right?
>
> Because a lookup is always on a full dotted-quad (in reverse order)…
nope... wiht robldnsd you set your BL zone to use the ip4trie dataset
which as per http://www.corpit.ru/mjt/rbldnsd/rbldnsd.8.html
ip4trie Dataset
Set of IP4 CIDR ranges with corresponding (A, TXT) values. This dataset
is similar to ip4set, but uses a different internal representation. It
accepts CIDR ranges only (not a.b.c.d−e.f.g.h), and allows for the
specification of A/TXT values on a per CIDR range basis. (If multiple
CIDR ranges match a query, the value for longest matching prefix is
returned.) Exclusions are supported too.
>
> I tried using multi.uribl.com and couldn’t get this to work.
>
> I had:
>
> urirhssub L_URIBL_BLACK multi.uribl.com. A 2
> body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK')
> describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist
> tflags L_URIBL_BLACK net
> score L_URIBL_BLACK 20.0
URIBL is enabled by default in SA - no need to add extra rules.
>
> set, and also:
>
> skip_rbl_checks 0
>
> at the end of /etc/mail/spamassassin/sa-mimedefang.cf set.
>
> Running this over the message in a file:
>
> spamassassin -t --lint -D < /tmp/cable.eml
>
> I get:
>
> …
> Jun 9 14:57:13.029 [32297] dbg: rules: compiled meta tests
> Jun 9 14:57:13.032 [32297] dbg: check: is spam? score=-2.348 required=5
> Jun 9 14:57:13.032 [32297] dbg: check: tests=L_EMPTY_SENDER,MISSING_DATE,MISSING_HEADERS,NO_RECEIVED,NO_RELAYS
> Jun 9 14:57:13.032 [32297] dbg: check: subtests=__BODY_TEXT_LINE,__EMPTY_BODY,__EMPTY_SENDER,__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__L_UNDISCLOSED2,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__NOT_SPOOFED,__SANE_MSGID,__TO_NO_ARROWS_R,__UNUSABLE_MSGID
> Jun 9 14:57:13.033 [32297] dbg: timing: total 1908 ms - init: 1384 (72.5%), parse: 1.17 (0.1%), extract_message_metadata: 11 (0.6%), get_uri_detail_list: 1.06 (0.1%), tests_pri_-1000: 9 (0.5%), compile_gen: 202 (10.6%), compile_eval: 37 (1.9%), tests_pri_-950: 6 (0.3%), tests_pri_-900: 7 (0.4%), tests_pri_-400: 6 (0.3%), tests_pri_0: 404 (21.2%), tests_pri_500: 75 (3.9%)
>
>
> so I’m not sure why it’s failing to find nqtel.com in the uribl.com database.
> What am I missing?
--lint doesn't do network tests
Re: Can't keep up with spam from SolarVPS sites
Posted by Philip Prindeville <ph...@redfish-solutions.com>.
On Jun 6, 2014, at 3:50 PM, Axb <ax...@gmail.com> wrote:
> If you have to post a spam sample, pls use pastebin and post the full msg
>
> On 06/06/2014 11:32 PM, Philip Prindeville wrote:
>> We’re getting a lot of spam that contains URL’s which look like (remove the ####):
>>
>> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
>
>> Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share?
>
> Pls note than any rule shared via lists usually looses its teeth within a few hours .-)
Well, it depends on the nature of the rule… Some characteristics are less fungible than others.
>
>>
>> The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18.
>>
>> Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet?
>
> Yes, there is:
>
> run a local A record blacklist with rbldnsd
>
> 65.181.64.0/18
>
> and a rule like, for example:
>
> uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2
> body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL')
> describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL
> score YOUR_A_URIBL 5.0
> tflags YOUR_A_URIBL net a
>
>
If I used local A records, for a /18 network, I’d need all 2^14 records, right?
Because a lookup is always on a full dotted-quad (in reverse order)…
I tried using multi.uribl.com and couldn’t get this to work.
I had:
urirhssub L_URIBL_BLACK multi.uribl.com. A 2
body L_URIBL_BLACK eval:check_uridnsbl('L_URIBL_BLACK')
describe L_URIBL_BLACK Contains a URL listed in the URIBL blacklist
tflags L_URIBL_BLACK net
score L_URIBL_BLACK 20.0
set, and also:
skip_rbl_checks 0
at the end of /etc/mail/spamassassin/sa-mimedefang.cf set.
Running this over the message in a file:
spamassassin -t --lint -D < /tmp/cable.eml
I get:
…
Jun 9 14:57:13.029 [32297] dbg: rules: compiled meta tests
Jun 9 14:57:13.032 [32297] dbg: check: is spam? score=-2.348 required=5
Jun 9 14:57:13.032 [32297] dbg: check: tests=L_EMPTY_SENDER,MISSING_DATE,MISSING_HEADERS,NO_RECEIVED,NO_RELAYS
Jun 9 14:57:13.032 [32297] dbg: check: subtests=__BODY_TEXT_LINE,__EMPTY_BODY,__EMPTY_SENDER,__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__L_UNDISCLOSED2,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__NOT_SPOOFED,__SANE_MSGID,__TO_NO_ARROWS_R,__UNUSABLE_MSGID
Jun 9 14:57:13.033 [32297] dbg: timing: total 1908 ms - init: 1384 (72.5%), parse: 1.17 (0.1%), extract_message_metadata: 11 (0.6%), get_uri_detail_list: 1.06 (0.1%), tests_pri_-1000: 9 (0.5%), compile_gen: 202 (10.6%), compile_eval: 37 (1.9%), tests_pri_-950: 6 (0.3%), tests_pri_-900: 7 (0.4%), tests_pri_-400: 6 (0.3%), tests_pri_0: 404 (21.2%), tests_pri_500: 75 (3.9%)
so I’m not sure why it’s failing to find nqtel.com in the uribl.com database.
What am I missing?
-Philip
Re: Can't keep up with spam from SolarVPS sites
Posted by Axb <ax...@gmail.com>.
On 06/07/2014 02:36 AM, Philip Prindeville wrote:
>
> On Jun 6, 2014, at 3:50 PM, Axb <ax...@gmail.com> wrote:
>
>> If you have to post a spam sample, pls use pastebin and post the full msg
>>
>
> Here’s a prototype:
>
> http://ur1.ca/hgxkx
This is just the generic daily snowshoe type of spam.
One or more URIBLs detects them.
The kind of stuff which so often comes from
EONIX/HOSTWINDS/COLOCROSSING/etc networks.
woeno.com listed on black.uribl.com
woeno.com listed on jp.surbl.org
woeno.com listed on uri.invaluement.com
As your sample does not show a SA report, hard to tell if it hit SURBL's
JP or URIBL_BLACK (uri.invaluement.com is not a public list)
Capturing Matches for Rules
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2014-06-07 at 03:50 +0200, me wrote:
> That Return-Path really sticks out. It's basically the From: address
> with embedded To: address.
So, in addition to the "From matches To" and occasional other situations
where remembering matches for subsequent regex based rules would come in
handy, this is another one.
I am currently pondering possible implementations and writing a plugin
to support capturing and back-referral.
FYI only. Or in case you want to share opinions. Or send caffeine. Or
beer. ;)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
Posted by John Hardin <jh...@impsec.org>.
On Sat, 7 Jun 2014, Karsten Bräckelmann wrote:
> On Fri, 2014-06-06 at 19:02 -0700, John Hardin wrote:
>> On Sat, 7 Jun 2014, Karsten Bräckelmann wrote:
>
>>> That Return-Path really sticks out. It's basically the From: address
>>> with embedded To: address.
>
>> It would be possible to do a multiple-header rule with captures and
>> backreferences to capture the camel-case, destination email and source
>> domain parts and verify that the Return-Path+From+To header triplet
>> matches this pattern.
>
> I bet you by 2 minutes! ;)
:-P
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We have to realize that people who run the government can and do
change. Our society and laws must assume that bad people -
criminals even - will run the government, at least part of the
time. -- John Gilmore
-----------------------------------------------------------------------
Today: the 70th anniversary of D-Day
Re: Can't keep up with spam from SolarVPS sites
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2014-06-06 at 19:02 -0700, John Hardin wrote:
> On Sat, 7 Jun 2014, Karsten Bräckelmann wrote:
> > That Return-Path really sticks out. It's basically the From: address
> > with embedded To: address.
> It would be possible to do a multiple-header rule with captures and
> backreferences to capture the camel-case, destination email and source
> domain parts and verify that the Return-Path+From+To header triplet
> matches this pattern.
I bet you by 2 minutes! ;)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
Posted by John Hardin <jh...@impsec.org>.
On Sat, 7 Jun 2014, Karsten Bräckelmann wrote:
> On Fri, 2014-06-06 at 18:36 -0600, Philip Prindeville wrote:
>> On Jun 6, 2014, at 3:50 PM, Axb <ax...@gmail.com> wrote:
>>
>>> If you have to post a spam sample, pls use pastebin and post the full msg
>>
>> Here’s a prototype:
>> http://ur1.ca/hgxkx
>
> That Return-Path really sticks out. It's basically the From: address
> with embedded To: address.
>
> The following rule (beware, entirely untested) would match that pattern.
> A camel-cased string, hyphen, email address with equal sign substituted
> for "@", followed by @ (and an arbitrary domain).
>
> header CAMEL_CASE Return-Path:addr =~ /^(?:[A-Z][a-z]+){3,}-user=recipient\.net@/
>
> You will of course have to substitute your address. If there are
> multiple valid user names, you could use something like /[a-z]+/ instead
> of an actual user name.
It would be possible to do a multiple-header rule with captures and
backreferences to capture the camel-case, destination email and source
domain parts and verify that the Return-Path+From+To header triplet
matches this pattern.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
Today: the 70th anniversary of D-Day
Re: Can't keep up with spam from SolarVPS sites
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2014-06-06 at 18:36 -0600, Philip Prindeville wrote:
> On Jun 6, 2014, at 3:50 PM, Axb <ax...@gmail.com> wrote:
>
> > If you have to post a spam sample, pls use pastebin and post the full msg
>
> Here’s a prototype:
> http://ur1.ca/hgxkx
That Return-Path really sticks out. It's basically the From: address
with embedded To: address. Spaces added for convenience.
CamelCasedPayload - user=recipient.net @ example.com
Depending on the number of individual recipient addresses, there are
multiple approaches for rules possible. Matching a specific target
address, including the whole domain, or even seriously complex rules
also taking the From: header into account.
In either case, be careful to NOT simply match your address embedded
like that, because that's close to how mailing-lists do it. Compare this
message's Return-Path.
The following rule (beware, entirely untested) would match that pattern.
A camel-cased string, hyphen, email address with equal sign substituted
for "@", followed by @ (and an arbitrary domain).
header CAMEL_CASE Return-Path:addr =~ /^(?:[A-Z][a-z]+){3,}-user=recipient\.net@/
You will of course have to substitute your address. If there are
multiple valid user names, you could use something like /[a-z]+/ instead
of an actual user name.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
Posted by Philip Prindeville <ph...@redfish-solutions.com>.
On Jun 6, 2014, at 3:50 PM, Axb <ax...@gmail.com> wrote:
> If you have to post a spam sample, pls use pastebin and post the full msg
>
Here’s a prototype:
http://ur1.ca/hgxkx
Re: Can't keep up with spam from SolarVPS sites
Posted by Axb <ax...@gmail.com>.
On 06/07/2014 02:02 AM, Karsten Bräckelmann wrote:
> On Fri, 2014-06-06 at 23:50 +0200, Axb wrote:
>>> [...] Anyone have some working rules they could share?
>>
>> Pls note than any rule shared via lists usually looses its teeth within
>> a few hours .-)
>
> Sorry, that's incorrect. The SA commits mailing list is not code only,
> but includes rules/ and sandbox/ commits.
and how many 'public" static rules detect snowshoe spam? it's closer to
zero than anything else.
Pillz/replica/etc (the usual bot stuff) holds better against static
pattern rules.
> Moreover, even by a very long stretch of "few hours", no regex or
> general pattern based rule older than a year could possibly match
> today's spam. That species exists, though.
That we know.. which is why autogenerated SOUGHT_ like rules are so useful.
With the lates waves of hacked site spam, there's hardly any static
patterns . Thanks to a nicely fed Bayes DB and fast acting IP/URI lists
the stuff stays under control.
Re: Can't keep up with spam from SolarVPS sites
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2014-06-06 at 23:50 +0200, Axb wrote:
> > [...] Anyone have some working rules they could share?
>
> Pls note than any rule shared via lists usually looses its teeth within
> a few hours .-)
Sorry, that's incorrect. The SA commits mailing list is not code only,
but includes rules/ and sandbox/ commits.
Moreover, even by a very long stretch of "few hours", no regex or
general pattern based rule older than a year could possibly match
today's spam. That species exists, though.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Can't keep up with spam from SolarVPS sites
Posted by Axb <ax...@gmail.com>.
If you have to post a spam sample, pls use pastebin and post the full msg
On 06/06/2014 11:32 PM, Philip Prindeville wrote:
> We’re getting a lot of spam that contains URL’s which look like (remove the ####):
>
> http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol
> Some observations… The URL’s should be fairly easy to filter against via a regex. Anyone have some working rules they could share?
Pls note than any rule shared via lists usually looses its teeth within
a few hours .-)
>
> The other thing is, the URL is almost always hosted by solarvps.com, in the CIDR block 65.181.64.0/18.
>
> Is there an easy way to do a domain lookup on the host portion of the URL and then filter it if it’s in this subnet?
Yes, there is:
run a local A record blacklist with rbldnsd
65.181.64.0/18
and a rule like, for example:
uridnssub YOUR_A_URIBL yourabl.example.net. A 127.0.0.2
body YOUR_A_URIBL eval:check_uridnsbl('YOUR_A_URIBL')
describe YOUR_A_URIBL URL domain A rec listed by YOUR_A_URIBL
score YOUR_A_URIBL 5.0
tflags YOUR_A_URIBL net a