"replace this with that" strings

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Fri Feb 16 20:15:45 CET 2007 

Jay Chandler a écrit :
>
> I use this from the SARE list:
>
> spacecowboy# cat 75_bad_domain.cf
> # 2007-01-24 new rules (adapted from Henrik Krohns
> # <hege at stream.hege.li> on SA list) # http:// [user [:password] @]
> # <legal uri characters> + <1 illegal char> + <legal chars> # + (<end 
> ofuri> or / or ? or :<port>)
> uri             local_OBFUDOM 
> /https?:\/\/([a-z0-9._\-]{1,30}(:[a-z0-9._\-]{1,30})?\@)?[a-z0-9._\-]{1,30}[^a-z0-9._\-\/:'\[][a-z0-9._\-\@]{1,30}(?:$|\/|\?|:[0-9])/i 
>
> describe        local_OBFUDOM           Domain contains illegal 
> characters
> score   local_OBFUDOM           1.1
>
> body            __obfdomreq1 /\b(?:remove|replace|substitute)\b/i
> body            __obfdomreq2 /(?:\bdomain\b|\baddress\b|"[^"]"|'[^']')/i
> body            __obfdomreq3            /\bImportant!/i
> meta            __obfudomreq            (__obfdomreq1 + __obfdomreq2 
> +__obfdomreq3) > 1
> meta            local_OBFDOMREQ         (local_OBFUDOM && __obfudomreq)
> describe        local_OBFDOMREQ         Request to modify obfuscated 
> domain
> score   local_OBFDOMREQ         3.1
>
> body     ACKME_OBFURL1a m/\bhttp:\/\/[a-z0-9\-.]+[!*%&, -]+\.?com\b/
> describe ACKME_OBFURL1a URL that contains dodgy char
> score    ACKME_OBFURL1a 2.0
>
> body     ACKME_OBFURL1b m/Remove "[!*%&, -]+" to make the link working!/i
> describe ACKME_OBFURL1b make spam link work
> score    ACKME_OBFURL1b 2.0
>
> #body     ACKME_OBFURL1c m/(\( )*Important( )*(!|,)* Remove "[!*%&, 
> -]+"( \))*/i
> #describe ACKME_OBFURL1c make spam link work
> #score    ACKME_OBFURL1c 2.0
>
> body     ACKME_OBFURL1d m/Important(,|:)* Replace "[!*%&, -]+" with "."/i
> describe ACKME_OBFURL1d make spam link work
> score    ACKME_OBFURL1d 2.0
>
> meta     ACKME_OBFURL1  (ACKME_OBFURL1a + ACKME_OBFURL1b + 
> ACKME_OBFURL1c + ACKME_OBFURL1d > 1)
> describe ACKME_OBFURL1  obfuscated URLs and a make spam link work message
> score    ACKME_OBFURL1  6.0
>
>
>
Are you sure it's from SARE?  I can't find it anywhere...

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070216/a3a18963/smime.bin

More information about the MailScanner mailing list