Mailing List Archive: SpamAssassin: users

porn portal spammers v2

Index | Next | Previous | View Threaded

licks0resa at hotmail

Sep 25, 2009, 12:30 AM

Post #1 of 8 (614 views)
Permalink

porn portal spammers v2

Dear all,

As usual, spammers improved and instead of receiving profiles|groups|personnal.yahoo.com links, now, I'm being hit with www.google.com/reader links.
(ie : <A href=3D"http://www.google.com/reader/item/tag:google.com,2005:reader/ite=m/69a282969886af5e">Haste to come</A></FONT></DIV>)

I took the firts rule submitted by SQL student (which worked great) and updated to this kind of google links :

uri LOC_GOOGLE /^http:\/\/www.google[.,]com\/(reader)/i
score LOC_GOOGLE 0 2.2 0 2.2
describe LOC_GOOGLE Contains google.com/reader uri

Comments are welcome, this is the first rule I share with the SA community here :)

cheers,
Guillaume

_________________________________________________________________
La Suisse reçoit plus d'espace! Votre disque dur virtuel de 25 Go avec Windows Live SkyDrive.
http://skydrive.live.com

Dan.McDonald at austinenergy

Sep 25, 2009, 4:22 AM

Post #2 of 8 (591 views)
Permalink

Re: porn portal spammers v2 [In reply to]

On Fri, 2009-09-25 at 09:30 +0200, Guillaume Gelle wrote:
> Dear all,
>
> As usual, spammers improved and instead of receiving profiles|groups|
> personnal.yahoo.com links, now, I'm being hit with
> www.google.com/reader links.
> (ie : <A
> href=3D"http://www.google.com/reader/item/tag:google.com,2005:reader/ite=m/69a282969886af5e">Haste to come</A></FONT></DIV>)
>
> I took the firts rule submitted by SQL student (which worked great)
> and updated to this kind of google links :
>
> uri LOC_GOOGLE /^http:\/\/www.google[.,]com\/(reader)/i

Why the parentheses? You only have one option, so parentheses are just
additional logic. You've also used the wrong sort of parentheses - (?:)
should be used to avoid enabling backtracking, since backtracking causes
significant performance impact...

--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Attachments:

signature.asc (0.19 KB)

licks0resa at hotmail

Sep 25, 2009, 11:26 AM

Post #3 of 8 (578 views)
Permalink

RE: porn portal spammers v2 [In reply to]

That's right, I should have remove the parenthese, they serve nothing here. It's more in case of something comes later and add some "|" after reader, etc.

Don't know what you mean by (?:) and backtracking tho, I'll double check the wiki page about syntax ;)

Thanks,

Guillaume

> Subject: Re: porn portal spammers v2
> Date: Fri, 25 Sep 2009 06:22:03 -0500
> From: Dan.McDonald [at] austinenergy
> To: users [at] spamassassin
>
> On Fri, 2009-09-25 at 09:30 +0200, Guillaume Gelle wrote:
> > Dear all,
> >
> > As usual, spammers improved and instead of receiving profiles|groups|
> > personnal.yahoo.com links, now, I'm being hit with
> > www.google.com/reader links.
> > (ie : <A
> > href=3D"http://www.google.com/reader/item/tag:google.com,2005:reader/ite=m/69a282969886af5e">Haste to come</A></FONT></DIV>)
> >
> > I took the firts rule submitted by SQL student (which worked great)
> > and updated to this kind of google links :
> >
> > uri LOC_GOOGLE /^http:\/\/www.google[.,]com\/(reader)/i
>
> Why the parentheses? You only have one option, so parentheses are just
> additional logic. You've also used the wrong sort of parentheses - (?:)
> should be used to avoid enabling backtracking, since backtracking causes
> significant performance impact...
>
> --
> Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
> www.austinenergy.com

_________________________________________________________________
Hotmail: la nouvelle technologie anti-spam aide à bloquer les messages indésirables, ici vous pouvez régler votre filtre Spam.
http://mail.live.com/mail/options.aspx?subsection=4

jhardin at impsec

Sep 25, 2009, 11:37 AM

Post #4 of 8 (579 views)
Permalink

RE: porn portal spammers v2 [In reply to]

On Fri, 25 Sep 2009, Guillaume Gelle wrote:

> Don't know what you mean by (?:) and backtracking tho, I'll double check
> the wiki page about syntax ;)

Try this:

uri URI_GOOG_READER m;^https?://(?:www\.)?google[\.,]com/reader/;i

>> On Fri, 2009-09-25 at 09:30 +0200, Guillaume Gelle wrote:
>>
>>> now, I'm being hit with www.google.com/reader links. (ie : <A
>>> href=3D"http://www.google.com/reader/item/tag:google.com,2005:reader/ite=m/69a282969886af5e">Haste
>>> to come</A></FONT></DIV>)
>>>
>>> I took the firts rule submitted by SQL student (which worked great)
>>> and updated to this kind of google links :
>>>
>>> uri LOC_GOOGLE /^http:\/\/www.google[.,]com\/(reader)/i

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Vista: Windows ME for the XP generation.
-----------------------------------------------------------------------
Approximately 8856840 firearms legally purchased in the U.S. this year

guenther at rudersport

Sep 26, 2009, 3:39 AM

Post #5 of 8 (576 views)
Permalink

RE: porn portal spammers v2 [In reply to]

On Fri, 2009-09-25 at 11:37 -0700, John Hardin wrote:
> On Fri, 25 Sep 2009, Guillaume Gelle wrote:
>
> > Don't know what you mean by (?:) and backtracking tho, I'll double check
> > the wiki page about syntax ;)

The (?:foo|bar) is a non-capturing, pure alternation, indicated by
the ?: after the opening parenthesis -- whereas the () form does capture
the match for later access. Needless in this case.

Oh, and Dan probably meant to say capturing, instead of backtracking.

> Try this:
> uri URI_GOOG_READER m;^https?://(?:www\.)?google[\.,]com/reader/;i

Thanks for getting rid of the fences. :) One of the notes I was about
to say. If your RE is going to contain literal slashes, use the generic
m// with custom delimiters, rather than the // shortcut.

Another note which I've seen here before: Drop the [.,] for the host
part of a uri rule. It's not a URI if it contains a comma, it'll be the
dot.

(And you don't need to escape the dot in a char [class] anyway. :)

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

jhardin at impsec

Sep 26, 2009, 9:25 AM

Post #6 of 8 (568 views)
Permalink

RE: porn portal spammers v2 [In reply to]

On Sat, 26 Sep 2009, Karsten Bräckelmann wrote:

> On Fri, 2009-09-25 at 11:37 -0700, John Hardin wrote:
>
>> Try this:
>> uri URI_GOOG_READER m;^https?://(?:www\.)?google[\.,]com/reader/;i
>
> Another note which I've seen here before: Drop the [.,] for the host
> part of a uri rule. It's not a URI if it contains a comma, it'll be the
> dot.

I was wondering about that, and assumed Guillaume included it because a
comma had actually appeared in spams.

Guillaume, did "google,com" actually appear in spams? If not, why did you
include google[dot-or-comma]com in your rule?

> (And you don't need to escape the dot in a char [class] anyway. :)

Habit. :)

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
North Korea: the only country in the world where people would risk
execution to flee to communist China. -- Ride Fast
-----------------------------------------------------------------------
Approximately 8887200 firearms legally purchased in the U.S. this year

Dan.McDonald at austinenergy

Sep 28, 2009, 5:20 AM

Post #7 of 8 (552 views)
Permalink

RE: porn portal spammers v2 [In reply to]

On Sat, 2009-09-26 at 09:25 -0700, John Hardin wrote:
> On Sat, 26 Sep 2009, Karsten Brckelmann wrote:
>
> > On Fri, 2009-09-25 at 11:37 -0700, John Hardin wrote:
> > Another note which I've seen here before: Drop the [.,] for the host
> > part of a uri rule. It's not a URI if it contains a comma, it'll be the
> > dot.
>
> I was wondering about that, and assumed Guillaume included it because a
> comma had actually appeared in spams.
>
> Guillaume, did "google,com" actually appear in spams? If not, why did you
> include google[dot-or-comma]com in your rule?

Even if it did, you could only find those with a body rule, not a uri
rule, since the parser won't pick up example,com as a uri.

--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Attachments:

signature.asc (0.19 KB)

jhardin at impsec

Sep 28, 2009, 6:55 AM

Post #8 of 8 (548 views)
Permalink

RE: porn portal spammers v2 [In reply to]

On Mon, 28 Sep 2009, McDonald, Dan wrote:

> On Sat, 2009-09-26 at 09:25 -0700, John Hardin wrote:
>> On Sat, 26 Sep 2009, Karsten Brckelmann wrote:
>>
>>> On Fri, 2009-09-25 at 11:37 -0700, John Hardin wrote:
>>> Another note which I've seen here before: Drop the [.,] for the host
>>> part of a uri rule. It's not a URI if it contains a comma, it'll be the
>>> dot.
>>
>> I was wondering about that, and assumed Guillaume included it because a
>> comma had actually appeared in spams.
>>
>> Guillaume, did "google,com" actually appear in spams? If not, why did you
>> include google[dot-or-comma]com in your rule?
>
> Even if it did, you could only find those with a body rule, not a uri
> rule, since the parser won't pick up example,com as a uri.

D'oh!

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our government wants to do everything it can "for the children,"
except sparing them crushing tax burdens.
-----------------------------------------------------------------------
Approximately 8949300 firearms legally purchased in the U.S. this year

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads