On Thu, 2009-09-10 at 18:28 -0400, MySQL Student wrote: > Hi all, > > I've seen this pattern in spam quite a bit lately: > > href="http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69 > .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66. > 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO" > > Would it be reasonable to create a rule that looks for this two-char > then dot pattern, or is it reasonable that it might appear in a > legitimate email too frequently? If possible, how would you create a > rule to capture this?
uri URI_HEX_DOTTED /(?:[[:xdigit:]]{2}\.){10}/ That would look for 10 two-digit hex numbers separated by periods in a url. Figure if you have at least 10 of them, its probably a match... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
signature.asc
Description: This is a digitally signed message part