tons of blank subject yahoo spam RSS Back to forum
@christopher.low:
seems to be a ton of compromised yahoo accounts globally.
subject matter isn't always blank
81% Return, Every Time
Cheat the Odds: 81% return on financial market
Conspiracy: Why is your savings interest rate so low!???
(TXN#: 4VNTS5X): Your lowered interest rate
(FINAL ATTEMPT) Urgent Message Inside.. [Ref: VIP-4C2JX7B]
(3rd Notice) Re: Make $500 a Day (I'll Pay You)
"CheatingTheOdds" - Bank secrets revealed
Re: $70 EVERY 60 Seconds
Re: 1000000% New - 10000% Easy
URGENT: 2 Million a day for them and ZERO for you
You were fooled about Forex and Stock Market
You were meant to fail..But I won't let you
nonetheless. blocked all yahoo.*
we're getting these too.
for years it was just subjects like:
re:
re: (1)
re: (9)
etc...
now, in the last week, whatever script has evolved to put the comprimized yahoo account FIRSTNAME LASTNAME in the subject - not even dirived from the email address field.
that tends to suggest that yahoo lost entire databases, and some spammers are keying off fields.... that's really bad news
and, i've already blocked any email which starts and ends with just a url - but this one is different as sometimes they paste in the firstname lastname after the url, or have a few blank lines/spaces before it
anyway, i can't block based on subject anymore, the only thing in common i see is that there are ALWAYS two forwardslashes after the domain name.
but, orf can't block based on "if from yahoo and contains two slashes after the domain" - they can do one or the other...
so i think i need to do it at the exchange transport level using a transport rule, just not sure what to write for the regex in the body
my question, which is also your question, is:
"how to match the body of an email where the first visible characters are http:// [then any number of characters] followed by a / [then any number of characters] followed by a / [then any number of characters]"
the advertised domains of the first few i checked before giving up are:
http://www.ads-sas.com/pykhp/6at7z3jyjb.h7rntny85fvibk2wbt
http://mbcits.com/hzkit/ol3tahsn7z1agy4uzg8w8knw210d8c&a8lm21oxkwfqzkrn6a5kvmn
http://manchestercarloans.co.uk/bpr/d5ja59xn2e5t11fo5o17expg=dl0o8slopsajl9g
http://apingabout.com/tlgvoupi/ilwlsz4xw7brslhxgpm63.c
http://swastikoverseas.in/ri/g
http://kayseriautoverhuur.com/ccervbxo/n3r/
http://cityblessings.org/krecxxm/kio?r6byz19ntbf
http://www.pochichu.com/ckdtay/a7c4790e8s3bwhtjm4qt59s/
http://www.medicalmarketingcr.com/vxcunash/9woi45qkv76hovos05al.gc8zfvqfcxqyo59jl9kl
http://www.gastro-onko-duesseldorf.de/ukzvzhmj/jvn8v4shn2buar9prd&2kd
http://www.amtsfeuerwehr.de/ipmhc/2zc98fu6moil3hqo5zxapowc&1t4n
http://www.agroforestalpy.com/tfzis/9o0kntaa3qbkkn4b9mcc9stae28=gsnz38p2flxzdldxl6m9811d
http://turdak.com/dpupxpgy/52xpphlln5js
@Bryon:
"how to match the body of an email where the first visible characters are http:// [then any number of characters] followed by a / [then any number of characters] followed by a / [then any number of characters]"
That would be
^[\r\n\s]*http://[^\r\n]*/[^\r\n]*/[^\r\n]*
@Krisztián Fekete (Vamsoft):
That works GREAT in ORF - but since i need to match "only yahoo addresses" who match that, i have to do it one level up at the microsoft exchange transport level (which does support regex)
unfortunately, the microsoft hub transport rule during creation tells me that i'm using the "\" incorrectly - which clearly i'm not... but do you think you could adapt that to a hub transport rule version with me?
the exchange error says: there's a problem with your use of the backslash character. in a regular expression, the backslash character is used for text pattern matching. for example, "\d" matches any digit from 0 to 9. the backslash character can also be used as an escape character for a special character. for example "\" searches for the text character "\".
nice error message from MS, but your code is correct and functions in orf, why not exchange?
@Bryon:
actually, this seems to work, any reason not to use this:
^[\s]*http://.*/.*/.*
begins with any number of or zero spaces followed by http:// followed by any number of anything followed by / followed by anything followed by / followed by anything
(i think?)
@Bryon:
unfortunately, I do not know exactly which flavor MS uses. I guess it cannot interpret \r\n (new line), so try
^\s*http://.*/.*/.*$
instead. I used ^[\r\n]* which means "any character any number of repetitions, except for new line" instead of ".*" to limit the match to a single line, I am not sure if that is possible in Transport Rule regular expressions...
@Krisztián Fekete (Vamsoft):
yep, that works - i have emails that match this transport rule (including from yahoo.com) tagged and redirected first - then i will set them to reject with a custom error, where i'll inform them of their current state of insecurity, right in the NDR from the transport rule
i wonder if in the future orf will allow multiple levels of rule matching, different rules based on the from address or some other criteria
@Bryon: we do not plan to implement this (i.e., complex rulesets) in the near future, but will take it into consideration.
For those who were monitoring this thread i wanted to follow up...
for months yahoo accounts have been getting automatically hacked with no user interaction required, and by now an estimated 400 million accounts are comprimised, with their username/password/firstname/lastname on databases being passed around
http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/
so basically, it's going to be a tough fight unless we consider blocking all of yahoo's domains from sending us mail
seems this few days, I'm getting tons of yahoo spam that passes checks. I've blacklisted all of yahoo as a result. anyone notice the same thing?
first line of the spam is just a hyperlink to a site
http://www.rok-ah.de/ivxyc/gnzrxc5w71acgg1fabxl.9u8mwq?zu2tq
http://www.forestereyecare.com/quy/lkjmsenhg187w876ox79xfpuz61px.mb6mib2?49o
I'm not sure how to setup a regex that blocks the message if it starts with a hyperlink.