> -----Original Message----- > From: Chris Trudeau-Personal [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 19, 2003 9:29 PM > To: [EMAIL PROTECTED] > Subject: Re: [SAtalk] HEX IN URI and attachments > > > Hey all...I'm really interested...I was unable to find other > references...so > please feel free to flame me...but I'm really interested in > determining how > I can create a rule that applies a score against email that > has a "HEX" > based URI in the body of the message AND a meta rule > including....attachment > detail...any ideas? > > CT > > ----- Original Message ----- > From: "Chris Trudeau-Personal" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, August 19, 2003 7:08 AM > Subject: [SAtalk] HEX IN URI and attachments > > > > All, > > > > Is it safe to say that no legitimate email would try and > hide a URI in the > > body of a message by using the hex equivalent of the link? > > > > It seems to me that is the case. > > > > if so, I would like to write a rule that detects the use of > this tactic. > > > > Also, is it possible for SA to detect attachments? if so, > I don't want to > > block based on these attachments, however, I would like to > build a meta > rule > > that incorporates a message that includes a hex-URI AND has an image > > attachment... > > > > these are the only guys getting throught consistently right now... > > > > > > CT > > > >
Do you mean things like these?: rawbody MY_GIF_OBFU /\.((g|\%67)\%69(\%66|f)|\%67(i|\%69)(\%66|f)|(g|\%67)(i|\%69)\%66)/i describe MY_GIF_OBFU Tries to OBFU .gif score MY_GIF_OBFU 1.0 (This next one may be more specific as a URI rule.) rawbody MY_PERCENT_OBFU /\%..\%..\%../i describe MY_PERCENT_OBFU Tries to OBFU link with % signs score MY_PERCENT_OBFU 1.55 Then I believe (I'm not sure) that you simply do a rawbody rule for: filename=somevirus.pif And that would tackle attachments. (I don't know because SA shouldn't be used for this kind of thing.) Folow the link in my sig for more info. Including Matt Kettler's rule writing guide. HTH Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka ------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? From careers in IT to Engineering to Tech Sales, Dice has tech jobs from the best hiring companies. http://www.dice.com/index.epl?rel_code=104 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
