EMERGENCY RULE: porntube redirect

Guys, you're being hit with hacked web site URIs showing up in a heavy
spam flood. I see Uribl.com got most of them, but in case:

rawbody  GMD_R_DOT_HTML /\/r\.html$/
describe GMD_R_DOT_HTML Possible hacked site with porntube redirect
score GMD_R_DOT_HTML  3.5

Note: making it an uri rule doesn't hit them all.

enjoy

On Thursday, June 19, 2008, 7:33:44 AM, Yet Ninja wrote:
> Guys, you're being hit with hacked web site URIs showing up in a heavy
> spam flood. I see Uribl.com got most of them, but in case:

> rawbody  GMD_R_DOT_HTML /\/r\.html$/
> describe GMD_R_DOT_HTML Possible hacked site with porntube redirect
> score    GMD_R_DOT_HTML  3.5

> Note: making it an uri rule doesn't hit them all.

> enjoy

It and video.exe are Storm.

Jeff C.
--
Jeff Chan
mailto:jeffc@...
http://www.surbl.org/

Is there a good way to make SA exposed to spam flood , preferably with wide
variety of diff spam patterns, to check/measure how well the rule sets work
against them?

Jeff Chan writes:
> On Thursday, June 19, 2008, 7:33:44 AM, Yet Ninja wrote:
> > Guys, you're being hit with hacked web site URIs showing up in a heavy
> > spam flood. I see Uribl.com got most of them, but in case:
>
> > rawbody  GMD_R_DOT_HTML /\/r\.html$/
> > describe GMD_R_DOT_HTML Possible hacked site with porntube redirect
> > score    GMD_R_DOT_HTML  3.5
>
> > Note: making it an uri rule doesn't hit them all.

if you can find a case where the uri rule doesn't match but the rawbody
does, and the URL works, please open a bug!

> > enjoy
>
> It and video.exe are Storm.

yeah, I was thinking it looked familiar.

BAD_ENC_HEADER hits them all btw, on the Subject line's encoding. and
there's some interesting regularity in the Message-ID:

Message-id: <Q0150625piByoZfn/20080611100182H+1@...>
Message-id: <N7556814WYcmtrMl/20080611241908L+6@...>
Message-id: <P5195955SYbtbcft/20080611128928A+5@...>
Message-id: <P2384398XFKSgzjs/20080611992691U+3@...>

also, odd spaces:

Date:   Thu, 19 Jun 2008 17:04:32 +0200
Date:   Thu, 19 Jun 2008 18:03:54 +0300
Date:   Thu, 19 Jun 2008 17:03:49 +0200
Date:   Thu, 19 Jun 2008 10:02:50 -0500

--j.

Hi!

Yups... hits SPACED_DATE also ;)

Bye,
Raymond.

On Thursday 19 June 2008 9:33 am, Yet Another Ninja wrote: I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran
spamassassin --lint and got:

[chris@cpollock ~]$ spamassassin --lint
[25034] warn: config: failed to parse line, skipping, in
"/etc/mail/spamassassin/local.cf": score    GMD_R_DOT_HTML  3.5
[25034] warn: config: warning: description exists for non-existent rule
GMD_R_DOT_HTML
[25034] warn: lint: 2 issues detected, please rerun with debug enabled for
more information

I know it can't be that hard to c/p a rule, though it seems I either messed
something up or SA didn't like the rule.

--
Chris
KeyID 0xE372A7DA98E6705C

Chris <cpollock@...> wrote:

[...]

> I know it can't be that hard to c/p a rule, though it seems I either messed
> something up or SA didn't like the rule.

I think something went awry with your whitespace during the cut&paste.  Try
editing the local.cf in vim, delete what appear to be spaces in the GMD
rules, re-insert them, and then --lint again.

--
Sahil Tandon <sahil@...>

On Thursday 19 June 2008 7:50 pm, Sahil Tandon wrote: That did the trick, I should have learned from prior experience and typed it
in manually in the first place.

Thanks
Chris

--
Chris
KeyID 0xE372A7DA98E6705C

Is there a way or tool to test and measure/analyse how well the SA is being
setup to guard against spam?

Yeah the whay you get a phone call once a month to the help desk when a single piece of spam ends up in users inbox ;-)

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300




**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************

> I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran
> spamassassin --lint and got:

That's the wrong way round, seriously. Do not restart SA after changes,
unless --lint comes out clean.

  guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

On Friday 20 June 2008 10:14 am, Karsten Bräckelmann wrote:
> > I'd like to enjoy, stuck the above in my local.cf, restarted SA, ran
> > spamassassin --lint and got:
>
> That's the wrong way round, seriously. Do not restart SA after changes,
> unless --lint comes out clean.
>
>   guenther
Hmm, I've always understood that SA needs to be restarted to get any new rules
added read, though you may be right, sa-update runs a --lint before stopping
and starting SA.

--
Chris
KeyID 0xE372A7DA98E6705C

On Fri, 2008-06-20 at 17:53 -0500, Chris wrote:
> On Friday 20 June 2008 10:14 am, Karsten Bräckelmann wrote:

> > That's the wrong way round, seriously. Do not restart SA after changes,
> > unless --lint comes out clean.
>
> Hmm, I've always understood that SA needs to be restarted to get any new rules
> added read, though you may be right, sa-update runs a --lint before stopping
> and starting SA.

Yes, this is true when using spamd, or any other daemonized third party
tool using the SA API directly, like amavis.

This is *not* true, when calling 'spamassassin' directly, which you do
for linting. In this case a new SA process is being started, reading all
config files from disk, entirely unrelated to a possibly running spamd.
So, while your daemonized spamd is running, you can edit the cf files
without harming the precious, busy spamd, lint your changes, and even
test them using 'spamassassin'. Only when you're happy with your
changes, restart the daemon to make it pick up the freshly changed (and
hopefully linted ;) rules.

  guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}