> -----Original Message-----
> From: Keith C. Ivey [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 22, 2003 8:14 PM
> To: [EMAIL PROTECTED]
> Cc: Chris Santerre
> Subject: Re: [SAtalk] [RD] Trojaned machines
>
> >
> > This smells of a trojaned box for spamming. I'm thinking of
> > writing a rule that looks for http links with IP addresses and a
> > port number. I'm thinking the FP rate would be low.
> >
> > It is tough to remember everything SA looks for. Does 2.60 have
> > something like this? Comments?
>
> Look at the NORMAL_HTTP_TO_IP and WEIRD_PORT tests in
> 20_uri_test.cf.
>
> --
> Keith C. Ivey <[EMAIL PROTECTED]>
> Washington, DC
>
Ah!! Thanks! I'm going to spend some time reading all the rules in 2.60 now.
Save myself some headaches. That file raised a few regex questions:
Why are some URI rules written normally like this:
uri name /regex/
and others:
uri name m{regex}
uri name [EMAIL PROTECTED]@
What is up with the m's?
-Chris (back to regex 101) Santerre
-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community? Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
