A little help with a local.cf rule... please!

[JPP100 <jp...@frws.com>]

Hey Folks,

We are using SA 3.2.5, MailScanner (Latest) and ClamAV on a Fedora 10
server.

This question is in regards to the latest round of our favorite Hotmail
SPAM...
Trying to write a rule in local.cf to trap them as 99.9999999% of them have
these characteristics in the URLs in the emails (and some are getting
through):

1. English URL
2. Double words separated with a '-'
3. Rarely a 'www' at the front - usually 4 or more random letters
4. Always (for now) 4 numbers at the end
Example:
http://llhti.tour-traveled.com/4651/

And as a PS, they are all new domains registered by/in China. Likely due to
China's change in their registrar laws regarding .cn domains - so now we get
.com domains instead. Gotta love it. Anyways, I digress!

Example email body:


Do you identify me on that picture?

http://llhti.tour-traveled.com/4651/

Tracy.

## End example (there is also usually an HTML portion too, but I am
concentrating on the plain text part)

So my rule:
# hotmail drug spam
uri             MY_HOTMAIL_SPAM
m{https?://{1,30}\.{1,30}\.(com|ru|cn)/[0-9][0-9][0-9][0-9]/i}
describe     MY_HOTMAIL_SPAM Druggy hotmail.com links
score         MY_HOTMAIL_SPAM 5.0

And running emails through it using -D, it does not hit it as far as I can
tell - scores 3.5 due to other tests.
Yes, it IS reading it cause if I mess with the rule and make it have bad
syntax, SA --lint complains loudly. Right now, no complaints - and no
results.
Any ideas? Suggestions?

Thanks!
JPP
-- 
View this message in context: http://old.nabble.com/A-little-help-with-a-local.cf-rule...-please%21-tp26970283p26970283.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: A little help with a local.cf rule... please!

[Michael Alan Dorman <md...@ironicdesign.com>]

> So my rule:
> # hotmail drug spam
> uri             MY_HOTMAIL_SPAM
> m{https?://{1,30}\.{1,30}\.(com|ru|cn)/[0-9][0-9][0-9][0-9]/i}
> describe     MY_HOTMAIL_SPAM Druggy hotmail.com links
> score         MY_HOTMAIL_SPAM 5.0
> 
> And running emails through it using -D, it does not hit it as far as
> I can tell - scores 3.5 due to other tests.
> Yes, it IS reading it cause if I mess with the rule and make it have
> bad syntax, SA --lint complains loudly. Right now, no complaints -
> and no results.
> Any ideas? Suggestions?

//{1,30} matches a slash, followed by 1-30 more slashes.
\.{1,30} matches 1-30 periods.

I think you forgot a \S or something before each of those.  Also,
[0-9]{4} would do what you want for numeric component.  And I think you
want the i *after* the bracket, no?

Mike.

Re: A little help with a local.cf rule... please!

[John Hardin <jh...@impsec.org>]

On Wed, 30 Dec 2009, Bowie Bailey wrote:

> m{https?://[a-z]{1,30}\.[a-z]{1,30}-[a-z]{1,30}\.(com|ru|cn)/\d{4}/}i

You might want to reconsider using {} as RE delimiters if the RE itself 
contains {} elements. If it works, fine, but it's very visually confusing.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
  82 days since President Obama won the Nobel "Not George W. Bush" prize

Re: A little help with a local.cf rule... please!

[JPP100 <jp...@frws.com>]

Bowie Bailey wrote:
> 
> JPP100 wrote:
>>
>> 1. English URL
>> 2. Double words separated with a '-'
>> 3. Rarely a 'www' at the front - usually 4 or more random letters
>> 4. Always (for now) 4 numbers at the end
>> Example:
>> http://llhti.tour-traveled.com/4651/
>>
>> So my rule:
>> # hotmail drug spam
>> uri             MY_HOTMAIL_SPAM
>> m{https?://{1,30}\.{1,30}\.(com|ru|cn)/[0-9][0-9][0-9][0-9]/i}
>> describe     MY_HOTMAIL_SPAM Druggy hotmail.com links
>> score         MY_HOTMAIL_SPAM 5.0
>>   
> 
> Your rule specifies 1-30 slashes followed by 1-30 periods.  Try this one
> instead:
> 
> m{https?://[a-z]{1,30}\.[a-z]{1,30}-[a-z]{1,30}\.(com|ru|cn)/\d{4}/}i
> 
> (I assume you intended the 'i' at the end to be a case-insensitive
> setting and not part of the regex)
> 
> -- 
> Bowie
> 
> 

Thank you! And yes, the 'i' was meant as 'case insensitive'. I changed the
rule and will see how it goes. I am an old school Procmail person and
sometimes these mixed rules drive me nuts and are not intuitive (yet). I
will get there.

I am surprised that some of the other SPAM based systems have not caught
these yet, as obvious as they seem to be (ie. ClamAV SPAM lists, etc etc).

Will let you know. Thanks again.

JPP
-- 
View this message in context: http://old.nabble.com/A-little-help-with-a-local.cf-rule...-please%21-tp26970283p26970489.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: A little help with a local.cf rule... please!

[Bowie Bailey <Bo...@BUC.com>]

JPP100 wrote:
>
> 1. English URL
> 2. Double words separated with a '-'
> 3. Rarely a 'www' at the front - usually 4 or more random letters
> 4. Always (for now) 4 numbers at the end
> Example:
> http://llhti.tour-traveled.com/4651/
>
> So my rule:
> # hotmail drug spam
> uri             MY_HOTMAIL_SPAM
> m{https?://{1,30}\.{1,30}\.(com|ru|cn)/[0-9][0-9][0-9][0-9]/i}
> describe     MY_HOTMAIL_SPAM Druggy hotmail.com links
> score         MY_HOTMAIL_SPAM 5.0
>   

Your rule specifies 1-30 slashes followed by 1-30 periods.  Try this one
instead:

m{https?://[a-z]{1,30}\.[a-z]{1,30}-[a-z]{1,30}\.(com|ru|cn)/\d{4}/}i

(I assume you intended the 'i' at the end to be a case-insensitive
setting and not part of the regex)

-- 
Bowie