On 13-Jun-2009, at 19:56, MySQL Student wrote:
Received: from [78.97.185.89] (unknown [78.97.185.89])
Message-ID:
<krszdjkabfqdkcf.iodbkvqhqtyymyw83588989...@[78.97.185.89]>
Do they all have message ID's that include the IP?
Yeah, great, it looks like they all do. Would something like this
work?
header MYMSGIP Message-ID =~ /78.97.185.89/
aare they all including that exact IP? If not, you can look for IPs in
the message ID generally
header MYMSGIP Messag-ID =~ \b(?:\d{1,3}\.){3}\d{1,3}\b.?.?$
(That's assuming PCRE is OK, I can never remember)
or, a more exact, but much longer regex:
\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?
[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4]
[0-9]|[01]?[0-9][0-9]?)\b.?.?$
score MYMSGIP 0.3
describe MYMSGIP Message-ID from botnet
I ran this over a large spool of massages:
find new -type f -exec egrep -li "^Message-ID.*\b(25[0-5]|2[0-4][0-9]|
[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|
2[0-?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b.?.?$" {} \;
(note the .?.?$ at the end to make sure I wam hitting the end of the
line and not some random number sequence IN the ID)
and found it hit more mailinglist ham than spam, so I'd tread carefully.
--
Support bacteria - they're the only culture some people have.
