Re: new RX stuff

[ha...@t-online.de]

>> 
>> On Wed, Jan 24, 2007 at 11:11:20AM +0200, Henrik Krohns wrote:
>> > On Wed, Jan 24, 2007 at 05:41:33AM -0000, hamann.w@t-online.de wrote:
>> > > 
>> > > 
>> > > since yesterday I have seen quite a few of them:
>> > > Will we eventually get a check for obfuscated urls?
>> > > 
>> > > Wolfgang
>> > > 
>> > > http://www.bullshit*com (Important! Replace "*" with "." )
>> > 
>> > I'm running something like this..
>> > 
>> > body HK_OBFDOM /http:(?:\/|\\|\|)+[a-z0-9._-]*[^a-z0-9._\/\\\s-]+[a-z0-9._\\\/-]/i
>> > describe HK_OBFDOM Domain contains illegal characters
>> > score HK_OBFDOM 2.5
>> > 
>> > body __hk_obfdomreq1 /\b(?:remove|replace)\b/i
>> > body __hk_obfdomreq2 /(?:\bdomain\b|\baddress\b|"[^"]"|'[^']')/i
>> > meta HK_OBFDOMREQ (HK_OBFDOM && __hk_obfdomreq1 && __hk_obfdomreq2)
>> > describe HK_OBFDOMREQ Request to modify obfuscated domain
>> > score HK_OBFDOMREQ 2
>> 
>> Oops, "body HK_OBFDOM" being "uri HK_OBFDOM" ofcourse..
>> 
>> Cheers,
>> Henrik
>> 
Hi Henrik,

thanks a lot. I guess that the meta could use an || rather than &&; my samples all had "replace"
but neither "address" nor "domain"

Wolfgang

Re: new RX stuff

[Kenneth Porter <sh...@sewingwitch.com>]

--On Wednesday, January 24, 2007 2:11 PM +0200 Henrik Krohns 
<he...@stream.hege.li> wrote:

> I guess this works until spammers just use a "remove the space from
> domain" method, which pretty much defeats the uri handler. :)

Perhaps a simpler test is to see if the domain is resolvable by the 
recipient. That will still generate FP's (because the server might not have 
the same view of DNS as the recipient) but it might be worth a point.

Re: new RX stuff

[Henrik Krohns <he...@stream.hege.li>]

On Wed, Jan 24, 2007 at 12:55:47PM +0200, Henrik Krohns wrote:
> On Wed, Jan 24, 2007 at 10:46:31AM -0000, hamann.w@t-online.de wrote:
> > >> 
> > >> On Wed, Jan 24, 2007 at 11:11:20AM +0200, Henrik Krohns wrote:
> > >> > On Wed, Jan 24, 2007 at 05:41:33AM -0000, hamann.w@t-online.de wrote:
> > >> > > 
> > >> > > 
> > >> > > since yesterday I have seen quite a few of them:
> > >> > > Will we eventually get a check for obfuscated urls?
> > >> > > 
> > >> > > Wolfgang
> > >> > > 
> > >> > > http://www.bullshit*com (Important! Replace "*" with "." )
> > >> > 
> > >> > I'm running something like this..
> > >> > 
> > >> > body HK_OBFDOM /http:(?:\/|\\|\|)+[a-z0-9._-]*[^a-z0-9._\/\\\s-]+[a-z0-9._\\\/-]/i
> > >> > describe HK_OBFDOM Domain contains illegal characters
> > >> > score HK_OBFDOM 2.5
> > >> > 
> > >> > body __hk_obfdomreq1 /\b(?:remove|replace)\b/i
> > >> > body __hk_obfdomreq2 /(?:\bdomain\b|\baddress\b|"[^"]"|'[^']')/i
> > >> > meta HK_OBFDOMREQ (HK_OBFDOM && __hk_obfdomreq1 && __hk_obfdomreq2)
> > >> > describe HK_OBFDOMREQ Request to modify obfuscated domain
> > >> > score HK_OBFDOMREQ 2
> > >> 

Ok here is a whole new version, which should handle logins and ports and
other garbage and not create FPs from those.

uri HK_OBFDOM /^https?:\/\/ [a-z0-9._-]*? (?: [^a-z0-9._':\@\/-] | :[^0-9] )
(?: .*?\/ | .*?[a-z]$ ) /ix

I guess this works until spammers just use a "remove the space from domain"
method, which pretty much defeats the uri handler. :)

Cheers,
Henrik

Re: new RX stuff

[Henrik Krohns <he...@stream.hege.li>]

On Wed, Jan 24, 2007 at 10:46:31AM -0000, hamann.w@t-online.de wrote:
> >> 
> >> On Wed, Jan 24, 2007 at 11:11:20AM +0200, Henrik Krohns wrote:
> >> > On Wed, Jan 24, 2007 at 05:41:33AM -0000, hamann.w@t-online.de wrote:
> >> > > 
> >> > > 
> >> > > since yesterday I have seen quite a few of them:
> >> > > Will we eventually get a check for obfuscated urls?
> >> > > 
> >> > > Wolfgang
> >> > > 
> >> > > http://www.bullshit*com (Important! Replace "*" with "." )
> >> > 
> >> > I'm running something like this..
> >> > 
> >> > body HK_OBFDOM /http:(?:\/|\\|\|)+[a-z0-9._-]*[^a-z0-9._\/\\\s-]+[a-z0-9._\\\/-]/i
> >> > describe HK_OBFDOM Domain contains illegal characters
> >> > score HK_OBFDOM 2.5
> >> > 
> >> > body __hk_obfdomreq1 /\b(?:remove|replace)\b/i
> >> > body __hk_obfdomreq2 /(?:\bdomain\b|\baddress\b|"[^"]"|'[^']')/i
> >> > meta HK_OBFDOMREQ (HK_OBFDOM && __hk_obfdomreq1 && __hk_obfdomreq2)
> >> > describe HK_OBFDOMREQ Request to modify obfuscated domain
> >> > score HK_OBFDOMREQ 2
> >> 
> >> Oops, "body HK_OBFDOM" being "uri HK_OBFDOM" ofcourse..
> >> 
> >> Cheers,
> >> Henrik
> >> 
> Hi Henrik,
> 
> thanks a lot. I guess that the meta could use an || rather than &&; my samples all had "replace"
> but neither "address" nor "domain"

Actually I'm not happy with that rule yet, it's pretty hard to think of all
the obfuscations without getting FPs. I'll try to tune it some more, now it
does generate some falses..

PS. You did have "*" in the samples though?

Cheers,
Henrik