[Mimedefang] Using MD to defeat spam with embedded far-east URI's

Mitch at 0Bits.COM Mitch at 0Bits.COM
Sat Jul 26 15:44:01 EDT 2003


For anyone interested, i've done this succesfully (though funnily
i've not yet recieved a real spam that triggers it - but using an old
quarantined one it triggers the right codepath).

This as much was a lesson in writing a filter as it was my first dabble
in PERL. Here it is



---------- Forwarded message ----------
Date: Mon, 21 Jul 2003 13:14:04 +0100 (BST)
From: Mitch at 0Bits.COM
To: Kevin A. McGrail <kmcgrail at peregrinehw.com>
Cc: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Using MD to defeat spam with embedded far-east


>From my limited understanding of SA, i believe it is too "static"
to be able to handle the dynamic behavior i'm looking for. Specifically
there are no "if/then/else" constructs but only scoring - which i guess
is similar, but then needs the whole message to be parsed for URI's and
the scores added up to give you a final value to determine the SPAM value
of a message.

MD gives you this programatic interface and let's you short-circuit
complete message parsing on first hit. As for RBL, i had some more
thoughts on the subject and RBL matching won't work, since most spam URI's
aren't actually from the open realy domains that RBL block. Furthermore
Razor is somewhat good but someone always has to get one spam and report
it for Razor to work effectively.

So, say a spam message had 10 URI's that got extracted and put into
an array. With SA, all 10 would need to be DNS resolved and matched to
reach a spam score for the message. With MD (i hope) the idea would be
to short circuit it on maybe even the 1st DNS rsolution against a list
of address blocks we know are spam endemic.

Any more thoughts/comments before i take a wild stab at this ?

-------- Original Message --------
Subject: Re: [Mimedefang] Using MD to defeat spam with embedded far-east URI's
Date: Sun, 20 Jul 2003 20:48:44 -0400
From: Kevin A. McGrail <kmcgrail at peregrinehw.com>
Reply-To: mimedefang at lists.roaringpenguin.com
To: <mimedefang at lists.roaringpenguin.com>
References: <Pine.LNX.4.53.0307201855350.14579 at mx.homelinux.com>

Honestly, I think this would be a good idea for a rule in SpamAssassin.
However, I wonder whether you are using some of the realtime blacklists
for SpamAssassin and the Razor feature because both of those could
contribute tothat problem?

Have you configured your SpamAssassin to use Razor and perhaps looked into
any of the existing RBLs that SpamAssassin supports?


> I've been looking at my spam recently in the Quarantined directory
> and apart from the Nigerian guy who wants desparately to send me
> a million dollars, a pattern is appearing that appears not to be
> being caught which would give a higher hit rate of spam detection.
> Most if not all spam have URI's in them that resolve to
> DNS blocks. Although spamassassin has the 20_uri_tests.cf, this only
> checks agains a static set of known words. New SPAM's are now using
> words like "\/iagra", "Teen/\ge" and the such to defeat SA. Clearly
> using a static defeat list in SA is not ideal.
> Although it's trivial to block the far-eastern domains relays sending
> emails to us, we don't seem to score URI's by DNS reolution against a
> fixed list or RBL for example.
> So my question is can this be done in MD easily ? What it esentially
> entails would be a filter to shove into an array any URI's appearing
> in the body and then reverse resolve and check against a static block
> list (i.e. all far-eastern classes) or against RBL ?

More information about the MIMEDefang mailing list