Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
How can we make this one cry...
sprior at geekster
Mar 6, 2004, 6:03 PM
Post #1 of 8 (770 views)
Permalink
This particular spam has been getting through and it gets sent out
a lot - I'm sick of seeing it. It'll be tricky to detect because
it's HTML only, doesn't have any webbugs, and they use different
webservers and paths for the image they display (which happens to
be enhancement drugs). It looks like they're using compromised
machines to send it out.

Any ideas how to nail this one?

Steve

---------------------------------------------------------------------
Return-Path: <christine.swan_xn@cc.hut.fi>
Received: from worldcom.ch (d14-69-237-197.try.wideopenwest.com
[69.14.197.237])
by geekster.com (8.12.1/8.12.1) with ESMTP id i270h8t9013314
for <sprior@geekster.com>; Sat, 6 Mar 2004 19:43:09 -0500
From: "Christine Swan" <christine.swan_xn@cc.hut.fi>
Date: Sun, 07 Mar 2004 00:39:22 +0000
X-Mailer: Windows Eudora Pro Version 2.2 (32)
MIME-Version: 1.0
To: sprior@geekster.com
Message-ID: <2.2.32.20040307003922008c8652@cc.hut.fi>
Subject: =?ISO-8859-1?B?SW1tZWRpYXRlIERlbGl2ZXJ5ISBObyBXYWl0cyE=?=
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_047A_905BF472.794F1CF6"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on tux.geekster.com
X-Spam-Status: No, hits=3.0 required=5.0
tests=HTML_60_70,HTML_IMAGE_ONLY_02,
HTML_MESSAGE,HTML_TAG_BALANCE_BODY,MANY_EXCLAMATIONS autolearn=no
version=2.63
X-Spam-Level: **

This is a multi-part message in MIME format.

------=_NextPart_000_047A_905BF472.794F1CF6
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit




------=_NextPart_000_047A_905BF472.794F1CF6
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 8bit

<html><body>
<center><!--q1w16bRkK4VrdjZ--><a href="http://www.awbizwe.com"><img
src="http://www.esase44.com/z7.gif" border=0></a></center>
<body></html>


------=_NextPart_000_047A_905BF472.794F1CF6--
Re: How can we make this one cry... [ In reply to ]
jon at tgpsolutions
Mar 6, 2004, 6:15 PM
Post #2 of 8 (745 views)
Permalink
On Sat, 2004-03-06 at 17:03, Steve Prior wrote:
> This particular spam has been getting through and it gets sent out
> a lot - I'm sick of seeing it. It'll be tricky to detect because
> it's HTML only, doesn't have any webbugs, and they use different
> webservers and paths for the image they display (which happens to
> be enhancement drugs). It looks like they're using compromised
> machines to send it out.
>
> Any ideas how to nail this one?
>

-- snip --

> <html><body>
> <center><!--q1w16bRkK4VrdjZ--><a href="http://www.awbizwe.com"><img
> src="http://www.esase44.com/z7.gif" border=0></a></center>
> <body></html>

This isn't my idea... it showed up on the list a long time ago. But I
do use it on my server. Your threshold is 5.0, so you're going to have
to adjust the score. My threshold is set very low, so 0.5 is enough to
push it over the top in my case.

rawbody TGP_RATWARE_CENTER_CMT /<center><!--/
describe TGP_RATWARE_CENTER_CMT Message has a center tag followed by a comment
score TGP_RATWARE_CENTER_CMT 0.5

- Jon

--
jon@tgpsolutions.com

Administrator, tgpsolutions
http://www.tgpsolutions.com

Attached Files:

RE: How can we make this one cry... [ In reply to ]
Tom.Meunier at courts
Mar 6, 2004, 6:51 PM
Post #3 of 8 (759 views)
Permalink
That's a Mr. Wiggly spam. Chris Santerre went on a crusade against Mr.
Wiggly and came back with this:

rawbody __VDRUG1 /^\<html\>\<body\>/
rawbody __VDRUG2 /^\<center\>\<\!\-\-.{10,25}\-\-\>\<a
href\=\"http\:\/\//
rawbody __VDRUG3 /[a-zA-Z]\d\.gif\" border\=0\>\<\/a\>\<\/center\>/
rawbody __VDRUG4 /^\<\/?body\>\<\/html\>/
meta MRWIGGLY (__VDRUG1 && __VDRUG2 && __VDRUG3 && __VDRUG4)
describe MRWIGGLY Mr. Wiggly enhance drug spam.
score MRWIGGLY 5.0

-----Original Message-----
From: Steve Prior [mailto:sprior@geekster.com]
Sent: Saturday, March 06, 2004 7:04 PM
To: spamassassin-users@incubator.apache.org
Subject: How can we make this one cry...

This particular spam has been getting through and it gets sent out a lot
- I'm sick of seeing it. It'll be tricky to detect because it's HTML
only, doesn't have any webbugs, and they use different webservers and
paths for the image they display (which happens to be enhancement
drugs). It looks like they're using compromised machines to send it
out.

Any ideas how to nail this one?
Re: [spa] How can we make this one cry... [ In reply to ]
cgregory at hwcn
Mar 6, 2004, 10:22 PM
Post #4 of 8 (753 views)
Permalink
Hello!

On Sat, 6 Mar 2004, Steve Prior wrote:
> Any ideas how to nail this one?

> Subject: =?ISO-8859-1?B?SW1tZWRpYXRlIERlbGl2ZXJ5ISBObyBXYWl0cyE=?=

A modest score for 'encoded subject line'. I use the tests:
header LOC_SUBJECTENCODED Subject:raw =~ /=\?.*\?=/i
describe LOC_SUBJECTENCODED Subject line encoded
score LOC_SUBJECTENCODED 0.5
header LOC_SUBJISO8859 Subject:raw =~ /ISO.8859.1/i
describe LOC_SUBJISO8859 Subject is quoted printable iso-8859-1
score LOC_SUBJISO8859 0.5

And yes, this means that ISO.8559 gets a total of 1.....

> <a href="http://www.awbizwe.com">
> <img src="http://www.esase44.com/z7.gif" border=0></a></center>

I won't bother writing the rule just yet, but I was wondering, how many
ham have an image-only link which has a *different* domain than the link?

- Charles
Re: How can we make this one cry... [ In reply to ]
sprior at geekster
Mar 6, 2004, 11:35 PM
Post #5 of 8 (751 views)
Permalink
The Mr. Wiggly rules seem to do the trick! I feel better already :-)

Thanks!
Steve

Tom Meunier wrote:
> That's a Mr. Wiggly spam. Chris Santerre went on a crusade against Mr.
> Wiggly and came back with this:
>
> rawbody __VDRUG1 /^\<html\>\<body\>/
> rawbody __VDRUG2 /^\<center\>\<\!\-\-.{10,25}\-\-\>\<a
> href\=\"http\:\/\//
> rawbody __VDRUG3 /[a-zA-Z]\d\.gif\" border\=0\>\<\/a\>\<\/center\>/
> rawbody __VDRUG4 /^\<\/?body\>\<\/html\>/
> meta MRWIGGLY (__VDRUG1 && __VDRUG2 && __VDRUG3 && __VDRUG4)
> describe MRWIGGLY Mr. Wiggly enhance drug spam.
> score MRWIGGLY 5.0
Re: [spa] How can we make this one cry... [ In reply to ]
jsa at pen
Mar 7, 2004, 1:22 AM
Post #6 of 8 (758 views)
Permalink
On Saturday 06 March 2004 20:22, Charles Gregory wrote:

.....
>
> > <a href="http://www.awbizwe.com">
> > <img src="http://www.esase44.com/z7.gif" border=0></a></center>
>
> I won't bother writing the rule just yet, but I was wondering, how many
> ham have an image-only link which has a *different* domain than the link?
>

Presumeably you mean OTHER than your post, or this reply to your
post? ;-)

I think its not that unusual for peopel to send links to images
to their buddies and friends...

http://norcomix.dyndns.org/~red/fiji/images/jessiesland.jpg

--
_____________________________________
John Andersen
Re: How can we make this one cry... [ In reply to ]
cgregory at hwcn
Mar 7, 2004, 8:07 AM
Post #7 of 8 (750 views)
Permalink
On Sat, 6 Mar 2004, John Andersen wrote:
> > > <a href="http://www.awbizwe.com">
> > > <img src="http://www.esase44.com/z7.gif" border=0></a></center>
> > I won't bother writing the rule just yet, but I was wondering, how many
> > ham have an image-only link which has a *different* domain than the link?
> Presumeably you mean OTHER than your post, or this reply to your
> post? ;-)

Presumably if I could actually type better than a dyslexic monkey, I might
have have said what I really mean..... (twisted grin)

> I think its not that unusual for peopel to send links to images
> to their buddies and friends...

Now, what I *meant* (grin) was: How often does someone use an image-only
link where the image URL is different from the link URL? The rule would be
like this (watch the line wraps):

rawbody LOC_LINKIMAGEDIFFDOM
/<a[^>]* href="[^"]*\.([^\."]*\.[^\."]*)"[^>]*>\W*<img[^>]* src=
"[^"]*\.(?!\1)[^\."]*\.[^\."]*"[^>]*>\W*</a>/i
rawbody LOC_LINKIMAGEDIFFDOM URL of image-only link diff domain from image
score LOC_LINKIMAGEDIFFDOM 0.1

The space before each 'href', and the \W's, are there to get around the
most obvious obfuscations....

Anyways, I haven't tested that rule yet, but if someone wants to
double-check my code and run it through a corpus......

- Charles
Re: How can we make this one cry... [ In reply to ]
lwilton at earthlink
Mar 7, 2004, 8:20 AM
Post #8 of 8 (765 views)
Permalink
Its an interesting theory. I'd like to see the results on a corpus though.
It might work reasonably well.

There might be problems though. I'm on a daily joke list from a
Janus-personality web site that sells both normal and adult DVDs. These
people have at least three site names, and freely intermix them in the links
in the HTML mail. In fact I had gotten one just a few minutes ago, and
looking at it it would almost fail this test, but not quite.

(Of course a lot of other people might consider that list spam, it certainly
has a lot of commercial content.)

Loren

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal