tons of blank subject yahoo spam RSS

1

seems this few days, I'm getting tons of yahoo spam that passes checks. I've blacklisted all of yahoo as a result. anyone notice the same thing?

first line of the spam is just a hyperlink to a site
http://www.rok-ah.de/ivxyc/gnzrxc5w71acgg1fabxl.9u8mwq?zu2tq
http://www.forestereyecare.com/quy/lkjmsenhg187w876ox79xfpuz61px.mb6mib2?49o

I'm not sure how to setup a regex that blocks the message if it starts with a hyperlink.

by christopher.low 6 years ago
2

@christopher.low: seems to be a ton of compromised yahoo accounts globally.
subject matter isn't always blank

81% Return, Every Time

Cheat the Odds: 81% return on financial market

Conspiracy: Why is your savings interest rate so low!???

(TXN#: 4VNTS5X): Your lowered interest rate

(FINAL ATTEMPT) Urgent Message Inside.. [Ref: VIP-4C2JX7B]

(3rd Notice) Re: Make $500 a Day (I'll Pay You)

"CheatingTheOdds" - Bank secrets revealed

Re: $70 EVERY 60 Seconds

Re: 1000000% New - 10000% Easy

URGENT: 2 Million a day for them and ZERO for you

You were fooled about Forex and Stock Market

You were meant to fail..But I won't let you

nonetheless. blocked all yahoo.*

by christopher.low 6 years ago
(in reply to this post)

3

we're getting these too.

for years it was just subjects like:
re:
re: (1)
re: (9)
etc...

now, in the last week, whatever script has evolved to put the comprimized yahoo account FIRSTNAME LASTNAME in the subject - not even dirived from the email address field.

that tends to suggest that yahoo lost entire databases, and some spammers are keying off fields.... that's really bad news

and, i've already blocked any email which starts and ends with just a url - but this one is different as sometimes they paste in the firstname lastname after the url, or have a few blank lines/spaces before it

anyway, i can't block based on subject anymore, the only thing in common i see is that there are ALWAYS two forwardslashes after the domain name.

but, orf can't block based on "if from yahoo and contains two slashes after the domain" - they can do one or the other...

so i think i need to do it at the exchange transport level using a transport rule, just not sure what to write for the regex in the body

my question, which is also your question, is:
"how to match the body of an email where the first visible characters are http:// [then any number of characters] followed by a / [then any number of characters] followed by a / [then any number of characters]"

the advertised domains of the first few i checked before giving up are:
http://www.ads-sas.com/pykhp/6at7z3jyjb.h7rntny85fvibk2wbt
http://mbcits.com/hzkit/ol3tahsn7z1agy4uzg8w8knw210d8c&a8lm21oxkwfqzkrn6a5kvmn
http://manchestercarloans.co.uk/bpr/d5ja59xn2e5t11fo5o17expg=dl0o8slopsajl9g
http://apingabout.com/tlgvoupi/ilwlsz4xw7brslhxgpm63.c
http://swastikoverseas.in/ri/g
http://kayseriautoverhuur.com/ccervbxo/n3r/
http://cityblessings.org/krecxxm/kio?r6byz19ntbf
http://www.pochichu.com/ckdtay/a7c4790e8s3bwhtjm4qt59s/
http://www.medicalmarketingcr.com/vxcunash/9woi45qkv76hovos05al.gc8zfvqfcxqyo59jl9kl
http://www.gastro-onko-duesseldorf.de/ukzvzhmj/jvn8v4shn2buar9prd&2kd
http://www.amtsfeuerwehr.de/ipmhc/2zc98fu6moil3hqo5zxapowc&1t4n
http://www.agroforestalpy.com/tfzis/9o0kntaa3qbkkn4b9mcc9stae28=gsnz38p2flxzdldxl6m9811d
http://turdak.com/dpupxpgy/52xpphlln5js

by Bryon 6 years ago
4

@Bryon: "how to match the body of an email where the first visible characters are http:// [then any number of characters] followed by a / [then any number of characters] followed by a / [then any number of characters]"

That would be

^[\r\n\s]*http://[^\r\n]*/[^\r\n]*/[^\r\n]*

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

5

@Krisztián Fekete (Vamsoft): That works GREAT in ORF - but since i need to match "only yahoo addresses" who match that, i have to do it one level up at the microsoft exchange transport level (which does support regex)

unfortunately, the microsoft hub transport rule during creation tells me that i'm using the "\" incorrectly - which clearly i'm not... but do you think you could adapt that to a hub transport rule version with me?

the exchange error says: there's a problem with your use of the backslash character. in a regular expression, the backslash character is used for text pattern matching. for example, "\d" matches any digit from 0 to 9. the backslash character can also be used as an escape character for a special character. for example "\" searches for the text character "\".

nice error message from MS, but your code is correct and functions in orf, why not exchange?

by Bryon 6 years ago
(in reply to this post)

6

@Bryon: actually, this seems to work, any reason not to use this:

^[\s]*http://.*/.*/.*

begins with any number of or zero spaces followed by http:// followed by any number of anything followed by / followed by anything followed by / followed by anything

(i think?)

by Bryon 6 years ago
(in reply to this post)

7

@Bryon: unfortunately, I do not know exactly which flavor MS uses. I guess it cannot interpret \r\n (new line), so try

^\s*http://.*/.*/.*$

instead. I used ^[\r\n]* which means "any character any number of repetitions, except for new line" instead of ".*" to limit the match to a single line, I am not sure if that is possible in Transport Rule regular expressions...

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

8

@Krisztián Fekete (Vamsoft): yep, that works - i have emails that match this transport rule (including from yahoo.com) tagged and redirected first - then i will set them to reject with a custom error, where i'll inform them of their current state of insecurity, right in the NDR from the transport rule

i wonder if in the future orf will allow multiple levels of rule matching, different rules based on the from address or some other criteria

by Bryon 6 years ago
(in reply to this post)

9

@Bryon: we do not plan to implement this (i.e., complex rulesets) in the near future, but will take it into consideration.

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

10

For those who were monitoring this thread i wanted to follow up...

for months yahoo accounts have been getting automatically hacked with no user interaction required, and by now an estimated 400 million accounts are comprimised, with their username/password/firstname/lastname on databases being passed around

http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/

so basically, it's going to be a tough fight unless we consider blocking all of yahoo's domains from sending us mail

by Bryon 6 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed