|
|
 Up |
|
|
  |
Author: D. StussyD. Stussy Date: May 22, 2008 18:27
I'm not a perl expert or an expert on cleanfeed. However, I've noted that
the "operation sudden fall" spam uses the newsgroup name as the domain part
of the message ID. Certainly there are no hosts that happen to coincide
with newsgroup names - so has anyone written a snippet for this that one may
add to cleanfeed to disallow this behavior?
|
| |
|
| | 8 Comments |
|
|
Author: Matija NalisMatija Nalis Date: May 23, 2008 16:59
On Thu, 22 May 2008 18:27:25 -0700, D. Stussy bde-arc.ampr.org> wrote:> I'm not a perl expert or an expert on cleanfeed. However, I've noted that
> the "operation sudden fall" spam uses the newsgroup name as the domain part
> of the message ID. Certainly there are no hosts that happen to coincide
> with newsgroup names - so has anyone written a snippet for this that one may
> add to cleanfeed to disallow this behavior?
Dunno, but probably not, as it is mostly useless unless you're currently
suffering under a attack. It is trivial for spammer to modify and avoid, and
next spam run probably won't be using it. And you do accumulate cruft, and
it might hit a false positive (some annonce-bot might be using similar
scheme, or something like that)
However (untried, from the top of my head, and I haven't seen the spam in
the first place), if you really want it, something along the lines of:
foreach my $g (@groups) {
return reject('spam') if $hdr{'Message-ID'} =~ /$g/;
}
in your local_filter_last() or similar.
--
Opinions above are GNU-copylefted.
|
| |
|
| | no comments |
|
|
Author: D. StussyD. Stussy Date: May 23, 2008 22:39
"Matija Nalis" wrote in message
news:slrng3emj3.v4r.mnalis-news@eagle102.home.lan...
> On Thu, 22 May 2008 18:27:25 -0700, D. Stussy bde-arc.ampr.org>wrote:
>> I'm not a perl expert or an expert on cleanfeed. However, I've noted
that
>> the "operation sudden fall" spam uses the newsgroup name as the domain
part
>> of the message ID. Certainly there are no hosts that happen to coincide
>> with newsgroup names - so has anyone written a snippet for this that one
may
>> add to cleanfeed to disallow this behavior?
>
> Dunno, but probably not, as it is mostly useless unless you're currently
> suffering under a attack. It is trivial for spammer to modify and avoid,
and
> next spam run probably won't be using it. And you do accumulate cruft, and
> it might hit a false positive (some annonce-bot might be using similar
> scheme, or something like that)
> ...
|
| Show full article (1.39Kb) |
| no comments |
|
|
Author: Ray BananaRay Banana Date: May 23, 2008 22:59
Thus spake "D. Stussy" bde-arc.ampr.org>
>> foreach my $g (@groups) {
>> return reject('spam') if $hdr{'Message-ID'} =~ /$g/;
>> }
>> in your local_filter_last() or similar.
> Thanks. One question: Is the "@groups" variable a list of all groups from
> the active file? If so, then this could be placed in the message-ID
> checking routine thus avoiding transfer of the message (or headers).
From cleanfeed:
sub filter_art {
[...]
@groups = split(/[,\s]+/, $hdr{Newsgroups});
[...]
}
So it's a list of all groups the article is actually posted to.
And I wouldn't run the above code snippet against all groups in the
active file for performance reasons.
|
| Show full article (0.77Kb) |
| 1 Comment |
|
|
Author: D. StussyD. Stussy Date: May 23, 2008 23:12
"Ray Banana" wrote in message
news:80zlqgjl7z.fsf@banana.shacknet.nu...
> Thus spake "D. Stussy" bde-arc.ampr.org>>>> foreach my $g (@groups) {
>>> return reject('spam') if $hdr{'Message-ID'} =~ /$g/;
>>> }
>>> in your local_filter_last() or similar.
>> Thanks. One question: Is the "@groups" variable a list of all groups
from
>> the active file? If so, then this could be placed in the message-ID
>> checking routine thus avoiding transfer of the message (or headers).
>
> From cleanfeed:
>
> sub filter_art {
> [...]
> @groups = split(/[,\s]+/, $hdr{Newsgroups});
>
> [...]
> ...
|
| Show full article (0.85Kb) |
| no comments |
|
|
Author: Julien ÉLIEJulien ÉLIE Date: May 23, 2008 23:37
Hi Matija,
>> the newsgroup name as the domain part of the message ID.
>
>
> foreach my $g (@groups) {
> return reject('spam') if $hdr{'Message-ID'} =~ /$g/;
> }
I would tend to prefer $hdr{'Message-ID'} =~ /\Q$g\E>$/
because $g contains dots (.) and maybe pluses (+, ++).
It should also be the end of the Message-ID (with '>$' I think).
HOWEVER, even that this routine will catch some cancel messages like:
May 22 22:39:36.844 fr.comp.os.linux.annonces>
Cancelling observe.edu.sg>
which should NOT have been rejected!
I believe the best thing to do is using NoCeM because bleachbot (maintained
by Xavier Roche) already deals with such spam:
[...]
May 22 22:31:48 news innd: SERVER cancelled <87e37059.85bf5de5@geometry.pre-college>
May 22 22:31:48 news innd: SERVER cancelled <4df4b4b1.725b63fc@hannet.ml.netbsd.current>
May 22 22:31:48 news...
|
| Show full article (2.07Kb) |
| no comments |
|
|
|
Author: D. StussyD. Stussy Date: May 24, 2008 16:45
|
| |
| no comments |
|
|
Author: Julien ÉLIEJulien ÉLIE Date: May 25, 2008 02:13
Hi D. Stussy,
> So there are legitimate messages that follow the pattern? ...OR only
> cancels?
It seems odd to use that pattern for legitimate messages. But nobody
says it is forbidden...
If you really want to filter, I believe you should do it on "*@ news.group.name>"
and not "* news.group.name*".
--
Julien ÉLIE
« -- Je vous dresserai !
-- Vous me dressez déjà les cheveux sur la tête,
c'est un bon début. » (Astérix)
|
| |
| no comments |
|
|
|
|
|
|
Author: D. StussyD. Stussy Date: May 26, 2008 15:59
|
| |
| no comments |
|
|
