On Mon, Oct 10, 2005 at 04:21:50PM +0200, Maurice Lucas wrote:
> Matthew Newton wrote:
> >On the assumption that "normal" URLs don't use the construct /? in
> >them, and especially at geocities (are CGI scripts even allowed
> >there?) how about the following?
> >
> >full UOLCC_UKGEO
> >/http:\/\/uk.geocities.com\/[A-Z]?[a-z]{2,20}_[A-Z]?[a-z]{2,20}(?:_[A-Z]?[a-z]{2,20})?\d{0,4}\/\?[\w=\.]{3}/
> >describe UOLCC_UKGEO UK Geocities exploitation
> >score UOLCC_UKGEO 4.0
>
> I saw somebody else use
> uri UK_GEOCITIES m'^http://uk\.geocities\.com\b'i
> describe UK_GEOCITIES Body contains spammed domain
> score UK_GEOCITIES 3.0
This only checks the domain name, so I guess it may have fairly
high FPs (depends on how often people send legit e-mail with those
domains in, I suppose).
I wrote my rule specifically to check for the domain name and the
use of "/?", which (I believe) should not occur in normal usage.
Someone on list will probably prove me wrong, though... ;-)
Thanks
Matthew
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
