I can't thank Bob enough for pointing me to the other spam list regarding blocks and legal info. Info can be found here: http://www.claws-and-paws.com/spam-l/ Read the FAQ before posting!
Anywho, I'm reading the archives so I don't look foolish asking questions, and I see this latest post: " Date: Wed, 22 Oct 2003 04:16:11 -0400 Sender: Spam Prevention Discussion List <[EMAIL PROTECTED]> From: somedude Subject: block, spam: paypal phishers Content-Type: TEXT/PLAIN; charset=US-ASCII I just got a paypal phish from optonline netspace. Worryingly, the phishers are giving phish URLs with paypal descrption fields. I wonder how many people are suckered in - or have outhouse go and open it for them automagically. href="http://203.232.101.125:3344/cgi-bin/verify.htm?transfer_access=0&_refu nd_access=0&_itemid=default&_max_let=default&_make_type=5i488kgvamp&uachoice =1amp&lagoonemore=0&raccept=0&order=0&pp_accept=0&verify_acc=yes&login=ye s">https://www.paypal.com/cgi-bin/webscr?cmd=_verify-run</a> I assume 203.232.101.125 is yet another trojaned box. " And that got me thinking. I know SA has a rule for weird ports, but this is different. The important part is this: http://203.232.101.125:3344 This smells of a trojaned box for spamming. I'm thinking of writing a rule that looks for http links with IP addresses and a port number. I'm thinking the FP rate would be low. It is tough to remember everything SA looks for. Does 2.60 have something like this? Comments? rawbody MY_TROJANED_HOST /http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{2,4}\// describe MY_TROJANED_HOST Possible Trojaned box used for spam hosting score MY_TROJANED_HOST 0.01 # For testing Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
