New sporge attack

Post Reply
johngalt
Posts: 3
Joined: Thu Feb 05, 2004 7:14 pm

New sporge attack

Post by johngalt »

Hi, I've been using NewsPro for at least two years now, and thank you every day for it. In the last few days, however, there's been a "sporging" attack on alt.binaries.ibm-pc.0-day that totally confuses newspro. Compare the following two headers:

Header 1 - The correct one:
Subject: abwi0: Alead_Search_Engine_Builder_Pro_v1.86-PARADOX - "pdxsear.zip" (1/4) yEnc - 1 of 1
From: "aLiEn_Ink" <pdx@this.bot.is.a.crack-head.us>
Date: Sun, 12 Sep 2004 03:15:42 +0000
Lines: 3049
Newsgroups: alt.binaries.warez.ibm-pc.0-day
X-Complaints-To: abuse@newshosting.com
Organization: Splinter Cell Inc
Followup-To: alt.binaries.warez.ibm-pc.d,alt.binaries.warez.ibm-pc.fills
Message-ID: <2d4cf739ce5b72ea5869bb9e364b8cfd42@nntp1.splinter-cell.ushq>
X-Comment: BEWARE --> http://www.warezfaq.com is an BSA site.
X-Newsposter: SharkPost v1.0 Build 20030711.1
X-No-Archive: yes
Path: spool7-east!propagator-sterling!news-in.nuthinbutnews.com!feedeast.aleron.net!newshosting.com!nx02.iad01.newshosting.com!post01.iad01.newshosting.com!not-for-mail
Xref: 127.0.0.1 alt.binaries.warez.ibm-pc.0-day:695567

Header 2:
Subject: abwi0: Alead_Search_Engine_Builder_Pro_v1.86-PARADOX - "pdxsear.zip" (1/4) yEnc - 1 of 1
From: "aLiEn_Ink" <pdx@this.bot.is.a.crack-head.us> .
Date: Sun, 12 Sep 2004 03:15:42 +0000
Lines: 3049
Newsgroups: alt.binaries.warez.ibm-pc.0-day
X-Complaints-To: abuse@usenetserver.com
Path: internal1.nntp.dca.giganews.com!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!atl-c02.usenetserver.com!c03.atl99!news.usenetserver.com!fe37.usenetserver.com.POSTED!53ab2750!not-for-mail
Message-ID: <2d4cf739ce5b72ea5869bb9e364b8cfd42@233.65.241.45>
X-Abuse-Info: Please be sure to forward a copy of ALL headers
X-Abuse-Info: Otherwise we will be unable to process your complaint properly.
NNTP-Posting-Date: Sat, 11 Sep 2004 23:59:17 EDT
Xref: number1.nntp.dca.giganews.com alt.binaries.warez.ibm-pc.0-day:2607246

----------------------
Notice, that everything except the @xxx in the Message-ID in the fields I'm allowed to filter on in NewsPro is the same. Unfortunately, the @xxx is always different, so I can't even add a filter for that. What happens, then, is that in a 3 part attachment, I will actually have six messages. When NewsPro assembles them, it doesn't assemble them as two different, 3-part messages in chronological order, but rather as a single 3 part message which uses the latest 3-parts (the bad ones) rather than the earlier 3. Now, note that this is not a supercedes. Do you have any suggestions for how I might be able to filter this? Or, if my analysis is sound, can NewsPro change it's "auto-assemble" logic to account for this?

Thanks again for all your work.
johngalt
Posts: 3
Joined: Thu Feb 05, 2004 7:14 pm

Post by johngalt »

Also, I'd like to point out that if you could just enable filtering on other fields, like say (X-Complaints-To:), this would be a non-issue. Is there any reason why you only allow filtering on the non X fields?

Thanks!
alex
Posts: 4514
Joined: Thu Feb 27, 2003 5:57 pm

Post by alex »

you can filter by any field, the header kill filter is the "IS" filter, probably you forgot to add the trailing asterisk (in fact newspro compared full header line including CR LF in the end so the trailing asterisk was always needed, but starting with the version below it won't take CR LF into account so in principle you can just put the header line itself).

i added a check box in properties->articles, "additional article download kill filter heuristics", now it handles this specific attack (if there is something more let me know i'll try to handle it too, usenet is not well protected from such attacks).

so no need to change anything, just use the latest version.
Post Reply