On Wed, 15 Jul 2009, MrGibbage wrote:
I wonder if the spammers are reading this forum.  That seemed awful fast.

I'm sure they do. But I also suspect that they have a simple 'feedback' mechanism that let's them know how much of their spew is getting rejected on their botnets, and when the rejection numbers get too high they try something new, and keep trying until the rejection numbers drop again.

Then we fix our rules, the rejections go up, and they look for yet another 'trick' to get through. They have the advantage of being able to download their own copies of spamassassin to 'test' their spew. That's why sometimes you get 'red herrings' from me on this list when I don't share the full details of a rule. Posting it here almost assures that it will get bypassed. They copy the rule, then try all sorts of different combinations to bypass it....

Now really, the significant factor here is not that any of these obfuscation tricks are 'new', but that they are using them to bypass the URIBL rules. I strongly urge the spamassassin develpopers to consider ways to 'open up' the way that we can specify what SA will 'consider' a URI, or to be able to 'capture' a value from an obfuscation test, manipulate it into its 'original' URI and then 'manually' submit it to the URIBL....

Example hypothetical syntax (note that some parentheses are *capturing*):

body FINDURI /(www)(?:obfuscation)(domain)(?:obfuscation)(com|net|org)/i
uribl CHECIT /$1.$2.$3/

Basically, allow a rule to 'capture' one or more 'matches' in Perl variables, and then feed them to a subsequent rule (in this case, a manual URIBL lookup). This way, the SA developers don't have to hard-code an ever-changing set of "URI detection rules" into the core code, but we can still develop on-the-fly rules that can feed a URI to the URIBL tests....

I've heard people mention 'plugins'. Could I code one that would be
easily 'modifiable' so that (for example) this morning's '[dot]' trick can be quickly added to my plugin? Is there a good working example of a plugin that extracts text from a message and feeds it to a URI? I'll work on this!

- C

Reply via email to