On Thu, 2008-12-04 at 13:48 +1300, Lists wrote: > Karsten Bräckelmann wrote:
> > What type of *spam* are you referring to that you want to kill by > > throwing anti-virus signatures at them? Are all of them phishing or > > scam? > > > > Hey, you said spam. We might be back on-topic, however gray! ;) > > Yeah have been getting lots of variations of: > http://www.pastebin.ca/1275436 > Quite a lot are getting caught but in saying that alot are still getting > through. That one example smells like pure spam to me. Not phish, definitely not a scam (though I didn't investigate much). Funnily enough, the Sanesecurity.Spam.9216 found in the *scam* sigs [1] does match. However, it translates to the RE m~http://cid-.{0,30}\.spaces\.live\.com/blog/cns~ This topic has been beaten to death recently... > Sorry for the 'idiot' questions its just that I am a very windows based > person who is now looking after a linux system and I struggle at times > to get my head around some of the concepts. No problem, as long as we're staying on-topic. ;) Anyway, something most new-ish users tend to get wrong is asking the right questions. Why didn't you just ask how to catch these providing in example in the first place, rather than asking something strange you *guessed* might help... I you want to get your ClamAV on steroids -- sure, go ahead. If you want to catch that spam, a trivial SA rule will do. Back to that spam. I assume they are all quite similar in design, text, and the spaces.live.com URI? You can *easily* get the result of that SaneSecurity scam sig in SA. uri SANESEC_9216 m~http://cid-.{0,30}\.spaces\.live \.com/blog/cns~ score SANESEC_9216 5.0 describe SANESEC_9216 SaneSecurity.Spam.9216 There you go. Including a kill-level score for that rule, just like the ClamAV third-party sig would have resulted in. Note though that I don't advice to use that high a score. (Didn't --lint check the rule either, mind you. ;) Darly posted a very similar rule to this a while ago, triggering on the strange cid- prefix in the live spaces URI. You can use that just as well. > Nope didn't mean to send it to you before sorry. I asked, because I would have forwarded (parts) to the list anyway. :) -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
