Mailing List Archive

Data to make a new rule from?
I've noticed a signature associated with some type of new ratware. It
doesn't seem too popular yet (only a couple dozen hits per hour out of 100k
messages/day). SA263 doesn't see anything wrong with the headers. The most
obviously incriminating data is a forged "Received" line that includes some
text about encrypted transfer. The "DES-CBC3-SHA" xfer style it mentions is
apparently valid (I saw qmail examples in a google search) but the typo
(below) saying "with with" is a good identifier for this particular program.
I'm rejecting them with postfix header checks.

Received: from [197.178.76.58] by 24.30.7.33 with with DES-CBC3-SHA
encrypted SMTP; Wed, 04 Feb 2004 06:50:01 -0600

The from/reply-to address made from this program is always a randomly
generated username with a valid domain. The username seems to be 6 or more
characters, often with few vowels. Here's a few examples:

fcslpwdwdt@hot-shot.com
zndewbdsvkq@mindless.com
rciquxgzxld@berlin.com
squugenpt@africamail.com
rrycxykfoqdbwn@hairdresser.net
zmdpiozerqwtp@australiamail.com
xymbkhm@accountant.com

I wonder if a low/med scoring rule can be created to look for usernames of 6
or more alpha only chars with large groups (4+) of back-to-back consonants?
Sticking with 6 or more chars should avoid simple abbreviations like
qts@domain.com or dprc@otherdomain.com, but be more successful with
xymbkhm@accountant.com.

Anwyway, here's more header slime it generates:

X-Authentication-Warning: tjgpbily- fyygvdu
Message-ID: <13025300696510.2067012045547397869255@wgyfkgayv>
References: <138671429130718184835@ajbttxpl>
In-Reply-To: <138671429130718184835@ajbttxpl>
X-Mailer: ypewybj. lbxwy

I've kept one of these messages as a sample; email me for the full source if
it's of interest to you. I'm pretty rough with regex/pcre so I won't be
posting any rules for this any time soon. Hopefully this is of use to
someone else :)

--eric
Re: Data to make a new rule from? [ In reply to ]
Hello Eric,

Thursday, February 5, 2004, 4:40:28 PM, you wrote:

EF> but the typo (below) saying "with with" is a good identifier for this
EF> particular program.

Agreed. "with with" hits 3 spam here, no ham.
Just developed this rule, which I'll be testing tonight:
header RM_hr_WithWith Received =~ / with with /
describe RM_hr_WithWith Spam identified by typo in received header
score RM_hr_WithWith 1.000 # type=spamp -

EF> The from/reply-to address made from this program is always a randomly
EF> generated username with a valid domain. The username seems to be 6 or more
EF> characters, often with few vowels. Here's a few examples:

EF> I wonder if a low/med scoring rule can be created to look for usernames of 6
EF> or more alpha only chars with large groups (4+) of back-to-back consonants?
EF> Sticking with 6 or more chars should avoid simple abbreviations like
EF> qts@domain.com or dprc@otherdomain.com, but be more successful with
EF> xymbkhm@accountant.com.

I use:
header RM_fl_ConsWord6s From =~ /\b[bcghjklmnpqrtvwxz]{6,20}\b/
describe RM_fl_ConsWord6s To contains word consisting of consecutive consonants
score RM_fl_ConsWord6s 3.000 # 460s/1h of 97268 corpus (79437s/17831h) 01/24/04
header RM_fl_ConsWord9 From =~ /\b[bcghjklmnpqrstvwxz]{9,20}\b/
describe RM_fl_ConsWord9 From contains word consisting of consecutive consonants
score RM_fl_ConsWord9 3.000 # type=spamp - 137s/0h of 97268 corpus (79437s/17831h) 01/24/04

Note that the 6-consonant test has had "s" removed to cut down on ham
hits.

Bob Menschel