"replace this with that" strings

Fri Feb 16 19:46:18 CET 2007

Ken A wrote:
>
>
> Daniel Maher wrote:
>> Hello all,
>>
>>  
>>
>> Lately, I have received a large number of Spams which instruct my 
>> users to "replace <this> with <that>" in order to create a valid 
>> URL.  I was wondering if anybody had an effective way to block 
>> these.  My first instinct is to create a simple SA rule - if somebody 
>> else has already made one that seems to work, I'd rather not 
>> re-invent the wheel. :-)
>>
>
> I'm not a regex expert. (ianare?) .. but this is working pretty well 
> here - it probably hits a few ham, but I don't log non-spam, so not sure!
>
> body    __LOCAL_BLOCK_REP_THING1 
> /\b(?:remove|replace|substitute)\s(?:"."|'.'|space)\s(?:with|for)\s(?:"."|'.')/i 
>
> describe        __LOCAL_BLOCK_REP_THING1        replace this with that
>
> body    __LOCAL_BLOCK_REP_THING2                /\bremove 
> ?(the)?\s(?:"."|'.'|space)\s(?:in the|from the|above|below)/i
> describe        __LOCAL_BLOCK_REP_THING2        replace this with that
>
> meta    LOCAL_BLOCK_REP_THING           (__LOCAL_BLOCK_REP_THING1 || 
> __LOCAL_BLOCK_REP_THING2)
> describe        LOCAL_BLOCK_REP_THING   replace or remove a char
> score   LOCAL_BLOCK_REP_THING           2.0
>
> other metrics usually push it over the top tho (combine it with a 
> check for meds, etc..)
>
> Ken A
> Pacific.Net
>
>>
>> Thanks!
>>
>>  
>>
>> -- 
>>
>>   _
>>  °v°  Daniel Maher
>> /(_)\ Administrateur Système Unix
>>  ^ ^  Unix System Administrator
>>
>>  
>>
>> Four elements!
>>
>>  
>>
>>
>>

I use this from the SARE list:

spacecowboy# cat 75_bad_domain.cf
# 2007-01-24 new rules (adapted from Henrik Krohns
# <hege at stream.hege.li> on SA list) # http:// [user [:password] @]
# <legal uri characters> + <1 illegal char> + <legal chars> # + (<end 
ofuri> or / or ? or :<port>)
uri             local_OBFUDOM 
/https?:\/\/([a-z0-9._\-]{1,30}(:[a-z0-9._\-]{1,30})?\@)?[a-z0-9._\-]{1,30}[^a-z0-9._\-\/:'\[][a-z0-9._\-\@]{1,30}(?:$|\/|\?|:[0-9])/i
describe        local_OBFUDOM           Domain contains illegal characters
score   local_OBFUDOM           1.1

body            __obfdomreq1 /\b(?:remove|replace|substitute)\b/i
body            __obfdomreq2 /(?:\bdomain\b|\baddress\b|"[^"]"|'[^']')/i
body            __obfdomreq3            /\bImportant!/i
meta            __obfudomreq            (__obfdomreq1 + __obfdomreq2 
+__obfdomreq3) > 1
meta            local_OBFDOMREQ         (local_OBFUDOM && __obfudomreq)
describe        local_OBFDOMREQ         Request to modify obfuscated domain
score   local_OBFDOMREQ         3.1

body     ACKME_OBFURL1a m/\bhttp:\/\/[a-z0-9\-.]+[!*%&, -]+\.?com\b/
describe ACKME_OBFURL1a URL that contains dodgy char
score    ACKME_OBFURL1a 2.0

body     ACKME_OBFURL1b m/Remove "[!*%&, -]+" to make the link working!/i
describe ACKME_OBFURL1b make spam link work
score    ACKME_OBFURL1b 2.0

#body     ACKME_OBFURL1c m/(\( )*Important( )*(!|,)* Remove "[!*%&, 
-]+"( \))*/i
#describe ACKME_OBFURL1c make spam link work
#score    ACKME_OBFURL1c 2.0

body     ACKME_OBFURL1d m/Important(,|:)* Replace "[!*%&, -]+" with "."/i
describe ACKME_OBFURL1d make spam link work
score    ACKME_OBFURL1d 2.0

meta     ACKME_OBFURL1  (ACKME_OBFURL1a + ACKME_OBFURL1b + 
ACKME_OBFURL1c + ACKME_OBFURL1d > 1)
describe ACKME_OBFURL1  obfuscated URLs and a make spam link work message
score    ACKME_OBFURL1  6.0

-- 
Jay Chandler
Network Administrator, Chapman University
714.628.7249 / chandler at chapman.edu
Today's Excuse: A star wars satellite accidently blew up the WAN. 