On Monday, August 9, 2004, 3:37:56 PM, Jeff Chan wrote:
I thinking about dropping the TTL on the lists that had 6 and 8 hour TTLs down to 1 hour in order to get new entries active sooner. We have not tested this to see what effect it would have on traffic; an experiment we would still like to try with a range of different TTLs.
Does anyone have any objections to this? It would still be longer than the default 35 minute TTL that rbldnsd uses.
OK I'm going to go ahead and reduce the TTLs on the zones to one hour. That's for all zones other than sc.surbl.org which has a 10 minute TTL. It includes multi also.
Let's watch name server traffic and see if it changes much as a result. Of course it's a little difficult to measure this now since SpamAssassin 3.0 is also rolling out with SURBL support. But if DNS traffic goes up too much we can back this off.
I'd still like to experiment with shorter and longer TTLs at some point to try to optimize them further.
Jeff C.
I keep getting this "pesky" pron spam which gets past my all my filters (my regex-based linguestic filter, my spamhaus.org RBL filter, and my SURBL filter).
I think that these are getting blocked the next day, but this particular spammer is very aggressive and keeps sending new stuff so I keep getting the new stuff before it gets a chance to get blocked.
I have noticed some patterns in the e-mails. For example, they all have three images stacked vertically. Therefore, I think that I should be able to catch these with the right formulation of rules within my linguistic filter.
You can find the raw contents of my most recent two of these as follows:
Does anyone have any suggestions? Note that I am not using SpamAssassin. I am using another program. However, if SpamAssassin already handles this, could someone point me to the rules that SpamAssassin uses so that I can use these as a guide? Any other suggestions?
Thanks!
Rob McEwen
Hi!
I have noticed some patterns in the e-mails. For example, they all have three images stacked vertically. Therefore, I think that I should be able to catch these with the right formulation of rules within my linguistic filter.
You can find the raw contents of my most recent two of these as follows:
What are the SA scores you got on these? Might tell much more. Could be your bayesian filters are doing this.
Bye, Raymond.
on Wed, Aug 11, 2004 at 09:01:58AM -0400, Rob McEwen wrote:
I keep getting this "pesky" pron spam which gets past my all my filters (my regex-based linguestic filter, my spamhaus.org RBL filter, and my SURBL filter).
I think that these are getting blocked the next day, but this particular spammer is very aggressive and keeps sending new stuff so I keep getting the new stuff before it gets a chance to get blocked.
I have noticed some patterns in the e-mails. For example, they all have three images stacked vertically. Therefore, I think that I should be able to catch these with the right formulation of rules within my linguistic filter.
You can find the raw contents of my most recent two of these as follows:
1) don't accept mail from hosts with generic rDNS /HELO (e.g. CM-lconC3-160-147.cm.vtr.net) - that'll knock out 70% right away
2) this spamware follows a fairly predictable but randomized pattern:
Received: from %DOMAIN (%REALMXHOSTNAME [%REAL_IP_OF_MXHOST]) by %HELO_OR_RDNS_OF_SENDING_HOST (Postfix) with ESMTP id %RANDOM for <$target>; %DATE Message-ID: <%OUTLOOK_EXPRESS_MSG_ID@%DOMAIN> From: "%WORD %LETTER. %WORD2" <%WORD3@%DOMAIN> To: $target Subject: %RANDOM_SUBJECT_CHOSEN_FROM_LIST Date: %DATE MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="%OUTLOOK_EXPRESS_BOUNDARY" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 %RANDOM_ANTIVIRUS_HEADER
I'm having some success with some custom sendmail rulesets that use the various unix dictionaries to check %WORD, %WORD2, AND %WORD3. In the past, I've had some luck blocking on forged Received: headers, on From:s that match the pattern in messages sent from hosts with no rDNS, etc. (which only works for me because I block known generic rDNS).
These bastards have been joe'ing three or four of my domains for several months now, so I have a vested interest in seeing them die.
The other way to quarantine this particular spammer is to generate a domain list from this perl script and filter any reference to any of the domains found in it:
#!/usr/bin/perl
my @bits = ("akiana","benoka","bertikas","biscama","bortsimis","enofakel","enomy","fagony","fenium","fikals","frakles","inacalo","indakitos","karantinas","katanataro","kitaros","manics","mipatarios","neynano","nimphos","ownaros","pazda","pikas","pitovshe","poises","polishe","porchma","potkasi","pritkeras","sayara","simptomps","sofikals","sopinas","tronits","valdisimus","xesros"); foreach $front (sort @bits) { foreach $back (sort @bits) { print "$front$back.org\n"; } }
I'm pretty sure this is current. Additions welcome.
on Wed, Aug 11, 2004 at 11:43:43AM -0400, Steven Champeon wrote:
- this spamware follows a fairly predictable but randomized pattern:
Received: from %DOMAIN (%REALMXHOSTNAME [%REAL_IP_OF_MXHOST]) by %HELO_OR_RDNS_OF_SENDING_HOST (Postfix) with ESMTP id %RANDOM for <$target>; %DATE Message-ID: <%OUTLOOK_EXPRESS_MSG_ID@%DOMAIN> From: "%WORD %LETTER. %WORD2" <%WORD3@%DOMAIN> To: $target Subject: %RANDOM_SUBJECT_CHOSEN_FROM_LIST Date: %DATE
A couple of notes:
1) %DATE is the same in both the Date: header and the forged Received: "Postfix" header.
for <munged>; Sun, 08 Aug 2004 20:30:57 -0500 Date: Sun, 08 Aug 2004 20:30:57 -0500
2) single-digit days are represented zero-padded.
Date: Sun, 08 Aug 2004 20:30:57 -0500
I dunno if that's usual or not. IME, the Date: header is often off by a second or two, or has a slightly different format/timezone/etc.
Stephen:
The following rule would have caught both of my sample spam messages. Would these catch the other spams you've seen from this spammer... or has he varied this up in other e-mails to prevent this rule (alone) from catching him:
(case sensitive) %LETTER</STRONG></BIG>,<STRONG><BIG>%LETTER</BIG></STRONG>]></FONT>
1) %LETTER = a random letter 2) everything else is literal
Also, I found that that domain script generated 1,300+ domains. I've decided that the added resources of checking each message for this many domains is not worth it based on how many will actually be caught. However, I might integrate this domain list "*namefromlist*.org" as a factor in a compound rule.
Rob McEwen
on Wed, Aug 11, 2004 at 12:34:48PM -0400, Rob McEwen wrote:
Stephen:
The following rule would have caught both of my sample spam messages. Would these catch the other spams you've seen from this spammer... or has he varied this up in other e-mails to prevent this rule (alone) from catching him:
(case sensitive) %LETTER</STRONG></BIG>,<STRONG><BIG>%LETTER</BIG></STRONG>]></FONT>
- %LETTER = a random letter
- everything else is literal
Only matched 7 out of the 100 copies I have in my corpus here.
<BIG><STRONG> matched 218 occurrences, <STRONG><BIG> matched 181 lines. Both matched 89 of the 100.
Also, I found that that domain script generated 1,300+ domains. I've decided that the added resources of checking each message for this many domains is not worth it based on how many will actually be caught. However, I might integrate this domain list "*namefromlist*.org" as a factor in a compound rule.
Well, that is, of course, why SURBL is around, right? You don't check the entire list of domains, you find domains in the body (every one I've seen has had only the one) and then check against the list.
you find domains in the body (every one I've seen has had only the one) and then check against the list.
Good point.
But I'm using a filter that someone else programmed. They did include a tremendous amount of flexibility via XML config files. However, I don't have direct access to the list of extracted domains and I'm can't do everything as I don't have the source code. Also, I think that much of the filtering rules proceed even if a rule had already caught something... (But I'll have to look into this to be sure). Thanks for the suggestion anyway.
Rob McEwen PowerView Systems rob@PowerViewSystems.com (478) 475-9032
I'm going to try the following rule:
Must match at least ONE of the following 3 expressions:
From: "[-._\w]* \w. [-._\w]*" <[-._\w]*@[-._\w]*\w.\w{2,3}> ...or... <BIG><STRONG> ...or... <STRONG><BIG>
(the last two of these being case sensitive)
...AND...
...must match at least one of the following:
[-._\w]*akiana[-._\w]*.org [-._\w]*benoka[-._\w]*.org [-._\w]*bertikas[-._\w]*.org [-._\w]*biscama[-._\w]*.org [-._\w]*bortsimis[-._\w]*.org [-._\w]*enofakel[-._\w]*.org [-._\w]*enomy[-._\w]*.org [-._\w]*fagony[-._\w]*.org [-._\w]*fenium[-._\w]*.org [-._\w]*fikals[-._\w]*.org [-._\w]*frakles[-._\w]*.org [-._\w]*inacalo[-._\w]*.org [-._\w]*indakitos[-._\w]*.org [-._\w]*karantinas[-._\w]*.org [-._\w]*katanataro[-._\w]*.org [-._\w]*kitaros[-._\w]*.org [-._\w]*manics[-._\w]*.org [-._\w]*mipatarios[-._\w]*.org [-._\w]*neynano[-._\w]*.org [-._\w]*nimphos[-._\w]*.org [-._\w]*ownaros[-._\w]*.org [-._\w]*pazda[-._\w]*.org [-._\w]*pikas[-._\w]*.org [-._\w]*pitovshe[-._\w]*.org [-._\w]*poises[-._\w]*.org [-._\w]*polishe[-._\w]*.org [-._\w]*porchma[-._\w]*.org [-._\w]*potkasi[-._\w]*.org [-._\w]*pritkeras[-._\w]*.org [-._\w]*sayara[-._\w]*.org [-._\w]*simptomps[-._\w]*.org [-._\w]*sofikals[-._\w]*.org [-._\w]*sopinas[-._\w]*.org [-._\w]*tronits[-._\w]*.org [-._\w]*valdisimus[-._\w]*.org [-._\w]*xesros[-._\w]*.org
I believe that this will catch all of them without any reasonable change of getting a false positive.
Rob McEwen
-
Jeff Chan -
Raymond Dijkxhoorn -
Rob McEwen -
Steven Champeon