On Thu, 2009-09-10 at 18:28 -0400, MySQL Student wrote:
> Hi all,
> 
> I've seen this pattern in spam quite a bit lately:
> 
> href="http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69
> .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66.
> 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO"
> 
> Would it be reasonable to create a rule that looks for this two-char
> then dot pattern, or is it reasonable that it might appear in a
> legitimate email too frequently? If possible, how would you create a
> rule to capture this?

uri URI_HEX_DOTTED      /(?:[[:xdigit:]]{2}\.){10}/

That would look for 10 two-digit hex numbers separated by periods in a
url.  Figure if you have at least 10 of them, its probably a match...

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to