"replace this with that" strings

Ken A ka at pacific.net
Fri Feb 16 20:42:27 CET 2007 


Denis Beauchemin wrote:
> Jay Chandler a écrit :
>>
>> I use this from the SARE list:
>>
>> spacecowboy# cat 75_bad_domain.cf
>> # 2007-01-24 new rules (adapted from Henrik Krohns
>> # <hege at stream.hege.li> on SA list) # http:// [user [:password] @]
>> # <legal uri characters> + <1 illegal char> + <legal chars> # + (<end 
>> ofuri> or / or ? or :<port>)
>> uri             local_OBFUDOM 
>> /https?:\/\/([a-z0-9._\-]{1,30}(:[a-z0-9._\-]{1,30})?\@)?[a-z0-9._\-]{1,30}[^a-z0-9._\-\/:'\[][a-z0-9._\-\@]{1,30}(?:$|\/|\?|:[0-9])/i 
>>
>> describe        local_OBFUDOM           Domain contains illegal 
>> characters
>> score   local_OBFUDOM           1.1
>>
>> body            __obfdomreq1 /\b(?:remove|replace|substitute)\b/i
>> body            __obfdomreq2 /(?:\bdomain\b|\baddress\b|"[^"]"|'[^']')/i
>> body            __obfdomreq3            /\bImportant!/i
>> meta            __obfudomreq            (__obfdomreq1 + __obfdomreq2 
>> +__obfdomreq3) > 1
>> meta            local_OBFDOMREQ         (local_OBFUDOM && __obfudomreq)
>> describe        local_OBFDOMREQ         Request to modify obfuscated 
>> domain
>> score   local_OBFDOMREQ         3.1
>>
>> body     ACKME_OBFURL1a m/\bhttp:\/\/[a-z0-9\-.]+[!*%&, -]+\.?com\b/
>> describe ACKME_OBFURL1a URL that contains dodgy char
>> score    ACKME_OBFURL1a 2.0
>>
>> body     ACKME_OBFURL1b m/Remove "[!*%&, -]+" to make the link working!/i
>> describe ACKME_OBFURL1b make spam link work
>> score    ACKME_OBFURL1b 2.0
>>
>> #body     ACKME_OBFURL1c m/(\( )*Important( )*(!|,)* Remove "[!*%&, 
>> -]+"( \))*/i
>> #describe ACKME_OBFURL1c make spam link work
>> #score    ACKME_OBFURL1c 2.0
>>
>> body     ACKME_OBFURL1d m/Important(,|:)* Replace "[!*%&, -]+" with "."/i
>> describe ACKME_OBFURL1d make spam link work
>> score    ACKME_OBFURL1d 2.0
>>
>> meta     ACKME_OBFURL1  (ACKME_OBFURL1a + ACKME_OBFURL1b + 
>> ACKME_OBFURL1c + ACKME_OBFURL1d > 1)
>> describe ACKME_OBFURL1  obfuscated URLs and a make spam link work message
>> score    ACKME_OBFURL1  6.0
>>
>>
>>
> Are you sure it's from SARE?  I can't find it anywhere...
> 

I think it was posted on the SA list, not a SARE rule as far as I know, 
but might have been contributed by one of the ninjas. I use it as well 
as the one I posted.
Ken A.
Pacific.Net


> Denis
>

More information about the MailScanner mailing list