You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Sergio <se...@gmail.com> on 2011/11/21 21:46:35 UTC
In subject how to detect a word in an EVAL string?
I block a lot of spam searching for strings on the subject, but sometimes
the subject in the header comes in EVAL, like this:
Subject:
=?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
So, rules like this doesn't work:
header ADVERTISE_RULE8 Subject =~ /Publici dad/i
describe ADVERTISE_RULE8 Encripted word
score ADVERTISE_RULE8 11
Here is a copy of the full header:
************************************
Received: from 50.22.109.145-static.reverse.softlayer.com ([50.22.109.145]
helo=fievel.principalesperu.biz)
by xxxxxxxxxxxxx with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.69)
(envelope-from <BT...@claro.com.pe>)
id 1RSZBF-0001v0-FF
for xxxxxxxxxxxxx; Mon, 21 Nov 2011 13:05:25 -0600
Received: from [190.81.230.105] (helo=microsof-c7b2c4)
by fievel.principalesperu.biz with esmtpa (Exim 4.69)
(envelope-from <BT...@claro.com.pe>)
id 1RSZAv-0007RN-GC; Mon, 21 Nov 2011 13:05:14 -0600
Message-ID: <C8...@microsof-c7b2c4>
Reply-To: =?iso-8859-1?B?Q0FOQVNUQVMgTkFWSURF0UFTXw==?= <
canastasvirtuales2@terra.com.pe>
From: =?iso-8859-1?B?Q0FOQVNUQVMgTkFWSURF0UFTXw==?= <BToEvEvhWs@claro.com.pe
>
To: <as...@claro.com.pe>
Subject:
=?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
Date: Mon, 21 Nov 2011 14:04:43 -0500
MIME-Version: 1.0
Content-Type: multipart/related;
Type="multipart/alternative";
boundary="----=_NextPart_000_0550_01CCA856.84E55E60"
************************************
Is there a way to decode the subject and found the word that I need to
score?
Regards,
Sergio Cabrera
Re: In subject how to detect a word in an EVAL string?
Posted by rv...@unimet.edu.ve.
That's an excellent question. My systems receive this as well
-----Original Message-----
From: Sergio <se...@gmail.com>
Date: Mon, 21 Nov 2011 14:46:35
To: <us...@spamassassin.apache.org>
Subject: In subject how to detect a word in an EVAL string?
I block a lot of spam searching for strings on the subject, but sometimes
the subject in the header comes in EVAL, like this:
Subject:
=?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
So, rules like this doesn't work:
header ADVERTISE_RULE8 Subject =~ /Publici dad/i
describe ADVERTISE_RULE8 Encripted word
score ADVERTISE_RULE8 11
Here is a copy of the full header:
************************************
Received: from 50.22.109.145-static.reverse.softlayer.com ([50.22.109.145]
helo=fievel.principalesperu.biz)
by xxxxxxxxxxxxx with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.69)
(envelope-from <BT...@claro.com.pe>)
id 1RSZBF-0001v0-FF
for xxxxxxxxxxxxx; Mon, 21 Nov 2011 13:05:25 -0600
Received: from [190.81.230.105] (helo=microsof-c7b2c4)
by fievel.principalesperu.biz with esmtpa (Exim 4.69)
(envelope-from <BT...@claro.com.pe>)
id 1RSZAv-0007RN-GC; Mon, 21 Nov 2011 13:05:14 -0600
Message-ID: <C8...@microsof-c7b2c4>
Reply-To: =?iso-8859-1?B?Q0FOQVNUQVMgTkFWSURF0UFTXw==?= <
canastasvirtuales2@terra.com.pe>
From: =?iso-8859-1?B?Q0FOQVNUQVMgTkFWSURF0UFTXw==?= <BToEvEvhWs@claro.com.pe
>
To: <as...@claro.com.pe>
Subject:
=?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
Date: Mon, 21 Nov 2011 14:04:43 -0500
MIME-Version: 1.0
Content-Type: multipart/related;
Type="multipart/alternative";
boundary="----=_NextPart_000_0550_01CCA856.84E55E60"
************************************
Is there a way to decode the subject and found the word that I need to
score?
Regards,
Sergio Cabrera
Re: In subject how to detect a word in an EVALstring?
Posted by Benny Pedersen <me...@junc.org>.
On Mon, 21 Nov 2011 14:46:35 -0600, Sergio wrote:
>
> =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
plain ascii fooled with iso-8859-1
> Is there a way to decode the subject and found the word that I need
> to
> score?
ripmime -i spam.msg -d .
> Links:
> ------
> [1] http://50.22.109.145-static.reverse.softlayer.com
> [2] http://fievel.principalesperu.biz
> [3] mailto:BToEvEvhWs@claro.com.pe
> [4] http://fievel.principalesperu.biz
> [5] mailto:BToEvEvhWs@claro.com.pe
> [6] mailto:canastasvirtuales2@terra.com.pe
> [7] mailto:BToEvEvhWs@claro.com.pe
> [8] mailto:asqeyi@claro.com.pe
Re: In subject how to detect a word in an EVAL string?
Posted by Sergio <se...@gmail.com>.
Spammers are using a lot of different ways of using the word "publicidad",
I had a few different rules to block them, but since now I saw that there
was a character "¡" used an "i" and at the same time an "i " followed by an
space.
So, I used the .?. and it catches the "i" and the space and just in case
the spamer tries to use "publi ci dad" it will be catched as well. In my
RegEx editor it passes the test.
About the word "publicidad" In my server not much people uses that word and
that is why I can block it.
Sergio
2011/11/21 Karsten Bräckelmann <gu...@rudersport.de>
> On Mon, 2011-11-21 at 17:49 -0600, Sergio wrote:
> > Thank you Karsten for your input.
> >
> > I have modified the rule to the following and is working great:
> >
> > header ADVERTISE_RULE8 Subject =~ /publ.?.c.?.dad/i
>
> I see you wildcarded both instances of 'i', with an additional, optional
> second char each. However, you also dropped the space in "publici dad"
> as per your original rule -- intended?
>
> Doesn't have "publicidad" a more general meaning, too?
>
> > If I see there are a lot of false positives I will modify it a bit,
> > but for now it is what I was looking for.
>
> Again, I strongly recommend to lower the score. And, of course to add a
> \b word boundary at the beginning and end of the patter.
>
>
> --
> char *t="\10pse\0r\0dtu\0.@ghno
> \x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
> c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
> }}}
>
>
Re: In subject how to detect a word in an EVAL string?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2011-11-21 at 17:49 -0600, Sergio wrote:
> Thank you Karsten for your input.
>
> I have modified the rule to the following and is working great:
>
> header ADVERTISE_RULE8 Subject =~ /publ.?.c.?.dad/i
I see you wildcarded both instances of 'i', with an additional, optional
second char each. However, you also dropped the space in "publici dad"
as per your original rule -- intended?
Doesn't have "publicidad" a more general meaning, too?
> If I see there are a lot of false positives I will modify it a bit,
> but for now it is what I was looking for.
Again, I strongly recommend to lower the score. And, of course to add a
\b word boundary at the beginning and end of the patter.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: In subject how to detect a word in an EVAL string?
Posted by Sergio <se...@gmail.com>.
Thank you Karsten for your input.
I have modified the rule to the following and is working great:
header ADVERTISE_RULE8 Subject =~ /publ.?.c.?.dad/i
describe ADVERTISE_RULE8 Encripted word
score ADVERTISE_RULE8 11
If I see there are a lot of false positives I will modify it a bit, but for
now it is what I was looking for.
Regards,
Sergio
2011/11/21 Karsten Bräckelmann <gu...@rudersport.de>
> On Mon, 2011-11-21 at 14:46 -0600, Sergio wrote:
> > I block a lot of spam searching for strings on the subject, but
> > sometimes the subject in the header comes in EVAL, like this:
> > Subject:
> > =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
>
> Not "eval", but encoded -- in this case even necessary, rather than an
> attempt at obfuscation, because it contains non ASCII letters.
>
> Anyway, SA *does* decode the header value by default, unless you use
> the :raw qualifier.
>
>
> > So, rules like this doesn't work:
> > header ADVERTISE_RULE8 Subject =~ /Publici dad/i
>
> It doesn't work, because one of these chars is not an 'i'. The Subject
> decodes to:
> .Venta de CANASTAS NAVIDE_AS - publ_ci dad
>
> This is actually directly extracted from SA debugging, and thus decoded
> by SA. Note the underscores, which I used in place of the two non-ASCII
> chars.
>
> Your rule does not match, because the first 'i' is not. Using the /./
> "any char" instead of it works.
>
>
> > score ADVERTISE_RULE8 11
>
> That's a rather high score. And your RE sure could use some /\b/ word
> boundaries at the beginning and end of the match.
>
>
> --
> char *t="\10pse\0r\0dtu\0.@ghno
> \x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
> c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
> }}}
>
>
Re: In subject how to detect a word in an EVAL string?
Posted by Sergio <se...@gmail.com>.
Thank you Benny,
I will use this command next time.
Sergio
By the way your links are very accurate, that are the spammers that sent
the email, with my new rule they are
On Tue, Nov 22, 2011 at 3:42 AM, Benny Pedersen <me...@junc.org> wrote:
> On Mon, 21 Nov 2011 22:32:42 +0100, Karsten Bräckelmann wrote:
>
>>
>>> =?iso-8859-1?B?**LlZlbnRhIGRlIENBTkFTVEFTIE5BVk**
>>> lERdFBUyAtIHB1YmyhY2kgZGFk?=
>>>
>>
>> Not "eval", but encoded -- in this case even necessary, rather than an
>> attempt at obfuscation, because it contains non ASCII letters.
>>
>
> yep its base64 encode string between last two ?
>
> ?B? is the sign of mime header for base64
>
> ?Q? qotedprintelble
>
> but use ripmime :-)
>
> and create rules from the output
>
Re: In subject how to detect a word in an EVALstring?
Posted by Benny Pedersen <me...@junc.org>.
On Mon, 21 Nov 2011 22:32:42 +0100, Karsten Bräckelmann wrote:
>>
>> =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
>
> Not "eval", but encoded -- in this case even necessary, rather than
> an
> attempt at obfuscation, because it contains non ASCII letters.
yep its base64 encode string between last two ?
?B? is the sign of mime header for base64
?Q? qotedprintelble
but use ripmime :-)
and create rules from the output
Re: In subject how to detect a word in an EVAL string?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2011-11-21 at 14:46 -0600, Sergio wrote:
> I block a lot of spam searching for strings on the subject, but
> sometimes the subject in the header comes in EVAL, like this:
> Subject:
> =?iso-8859-1?B?LlZlbnRhIGRlIENBTkFTVEFTIE5BVklERdFBUyAtIHB1YmyhY2kgZGFk?=
Not "eval", but encoded -- in this case even necessary, rather than an
attempt at obfuscation, because it contains non ASCII letters.
Anyway, SA *does* decode the header value by default, unless you use
the :raw qualifier.
> So, rules like this doesn't work:
> header ADVERTISE_RULE8 Subject =~ /Publici dad/i
It doesn't work, because one of these chars is not an 'i'. The Subject
decodes to:
.Venta de CANASTAS NAVIDE_AS - publ_ci dad
This is actually directly extracted from SA debugging, and thus decoded
by SA. Note the underscores, which I used in place of the two non-ASCII
chars.
Your rule does not match, because the first 'i' is not. Using the /./
"any char" instead of it works.
> score ADVERTISE_RULE8 11
That's a rather high score. And your RE sure could use some /\b/ word
boundaries at the beginning and end of the match.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}