On 26 Jan 2019, at 23:43, Mark London wrote:
Does anyone have any rules that can catch this type of obfuscated
spam?
https://pastebin.com/qi8dsREW
Thanks. - Mark
I've been playing with a suite of rules around a concept that hits this
example for a while, but haven't gotten around to doing a solid analysis
of how well the latest rev is working. Caveat Emptor: This rule suite is
worth at most what you've paid for it!
rawbody __SCC_HTML_LOCKTITLE /<title>[^<]*(ID|account|service)\s*(is|has
been|was)\s*(locked|disabled|suspended)[^<]*<\/title>/
describe __SCC_HTML_LOCKTITLE An Important Title.
rawbody __SCC_HTML_LOCKBODY /<body>.*(ID|account|service)\s*(is|has
been|was)\s*(locked|disabled|suspended)/ms
describe __SCC_HTML_LOCKBODY An Important Message
meta T_SCC_WARN_TITLE_ONLY __SCC_HTML_LOCKTITLE &&
!__SCC_HTML_LOCKBODY
describe T_SCC_WARN_TITLE_ONLY HTML Title warning not in body
meta T_SCC_WARN_BODY_ONLY !__SCC_HTML_LOCKTITLE &&
__SCC_HTML_LOCKBODY
describe T_SCC_WARN_BODY_ONLY Body warning not in HTML Title
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
