#9 Donghuan Plaza, Dong Zhong Street
address: East District, Beijing, China (100027)
country: CN
phone:+86-10-6418-5885
fax-no: +86-10-64182174
e-mail: [EMAIL PROTECTED]
nic-hdl: JM97-AP
mnt-by: MAINT-CNNIC-AP
changed: [EMAIL PROTECTED] 20020819
sour
lly out of your spam
filtering.
SA_OPTOUT_FILENAME="$HOME/.optout.spamassassin"
:0
* ? test ! -f $SA_OPTOUT_FILENAME
{
:0fw
* < 256000
| spamc
}
Bill Larson
Network Administrator
Compu-Net Enterprises
---
Simple solution
1.Spamassassins reads in the message
2. It then stores the original message in two variables
3. In the second variable remove all punctuation, spaces, special encoded
characters, foreign language characters, html including html comments, and
other methods used for obscufaction.
4.
http://[EMAIL PROTECTED]/malicious.html
http://[EMAIL PROTECTED]/malicious.html
returns http://www.trusted_site.com/ in the browser address line this can
be done with any website. It can also be done with a https site as well.
Any suggested rulesets for this one.
Bill Larson
Comments and suggestions on this rule are appreciated.
full LOCAL_IEREDIR /[EMAIL PROTECTED](\/|htm|html|php|shtml)?/
score LOCAL_IEREDIR 150
describe LOCAL_IEREDIR Possible phishing/URL Masking attempt detected.
Bill Larson
Network Administrator
Compu-Net Enterprises
(931) 920-0043 or (877
Abused url
http://g.msn.com/1SUenus/CT?http://www.Nicole.name-williams.com/E/4156.html
my url
http://g.msn.com/1SUenus/CT?http://www.compu.net
Rule to catch.
uri MY_URI_REDIRECT2/http:\/\/g.msn.com\/1SUenus\/CT\?*/i
score MY_URI_REDIRECT2 4.0
describe M_URI_REDIRECT2 contains url o
vism&href=http://www.lacerate.com
You also have MSN joining in as a late comer perhaps intending to take over
the spam url masking world.
http://g.msn.com/1SUenus/CT?http://www.2026.com/F/index.html
Maybe they hope to embrace and extend this technique also.
We would appreciate a response.
