Hi Chris,
I have been using the following uri test for about 3 weeks without issue:
describe MY_URI_TCP_PORT MY: Non-standard TCP port in URL
uri MY_URI_TCP_PORT /:\d{2,4}\D/
score MY_URI_TCP_PORT 2.0
It will boost the score on top of what SA already chatches but will also
catch what you are talking about here.
--Larry
> -----Original Message-----
> From: Chris Santerre [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 22, 2003 10:18 AM
> To: Spamassassin-Talk (E-mail)
> Subject: [SAtalk] [RD] Trojaned machines
>
>
> I can't thank Bob enough for pointing me to the other spam
> list regarding blocks and legal info. Info can be found
> here: http://www.claws-and-paws.com/spam-l/
> Read the FAQ before posting!
>
> Anywho, I'm reading the archives so I don't look foolish
> asking questions, and I see this latest post:
>
> "
> Date: Wed, 22 Oct 2003 04:16:11 -0400
> Sender: Spam Prevention Discussion List
> <[EMAIL PROTECTED]>
> From: somedude
> Subject: block, spam: paypal phishers
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> I just got a paypal phish from optonline netspace.
>
> Worryingly, the phishers are giving phish URLs with paypal
> descrption fields. I wonder how many people are suckered in -
> or have outhouse go and open it for them automagically.
>
> href="http://203.232.101.125:3344/cgi-bin/verify.htm?transfer_
> access=0&_refu
> nd_access=0&_itemid=default&_max_let=default&_make_type=5i488k
> gvamp&uachoice
> =1amp&lagoonemore=0&raccept=0&order=0&pp_accept=0&verify_ac
> c=yes&login=ye
> s">https://www.paypal.com/cgi-bin/webscr?cmd=_verify-run</a>
>
> I assume 203.232.101.125 is yet another trojaned box.
> "
>
> And that got me thinking. I know SA has a rule for weird
> ports, but this is different. The important part is this:
http://203.232.101.125:3344
This smells of a trojaned box for spamming. I'm thinking of writing a rule
that looks for http links with IP addresses and a port number. I'm thinking
the FP rate would be low.
It is tough to remember everything SA looks for. Does 2.60 have something
like this? Comments?
rawbody MY_TROJANED_HOST
/http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{2,4}\//
describe MY_TROJANED_HOST Possible Trojaned box used for spam hosting score
MY_TROJANED_HOST 0.01 # For testing
Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
"A little nonsense now and then, is relished by the wisest men." - Willy
Wonka
-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community? Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
