> Obviously, the OBFU rule set is not that sophisticated.
On the contrary, they are quite sophisticated in many cases.
> On top of that, the spammer (someone said it's Leo Kuvayev)
However, Leo is also quite sophisticated. And he has changed his spam
generators in the last week to make things that SA can't curreently detect.
The SARE obfu rules were last updated a couple of weeks ago. That gives Leo
currently a 14 day or so headstart on the current SARE rulebase, and about 6
months headstart on the standard SA rulebase.
> keeps changing the URL it points to. I've recieved it with
inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com (scored
6.4) , than with univnews(dot)com (scored 7.1) and the last one was
sinceschool(dot)com (scored 7.8)
*ALL* spammers buy multiple domain names in batches. Leo buys them by the
hundreds at a time. Just as he isn't stupid enough to send all spam from
the same machine since it would be very quickly cut off, he isn't stupid
enough to target all of a given spam to the same domain, because it will
quite quickly be blocked.
As near as I can tell, a run of spam from a given zombie typically is
targeted at a single domian. However, Leo runs thousands or maybe hundreds
of thousands of zombies in any given spam run, and he changes the spam
slightly every few days, as best I can tell.
This means you have to step back, spend a few moments thinking like Leo,
look for what is common and what is uncommon in a spam run, and then target
specific rules to catch the stuff that is common. It ain't that hard to do,
but it tales time to do it, and those of us that do that sort of thing often
only do it when we get annoyed about spam leaking into the inbox. The rest
of the time we do our normal day jobs. Leo also does his normal day job
most of the time. But that happens to be making spam, so he spends more
time at it than the rest of us do.
I can see about ten ways to catch Leo's current batch. However, they
weren't particularly interesting to me, since most of them are scoring about
40-70 here from net rules mostly. If I get some time in the next day or two
I'll cut a set of rules for them.
Loren
