Hugo van der Kooij
hvdkooij at vanderkooij.org
Sun Aug 24 20:47:23 IST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Steve Freegard wrote:
> Hi Hugo,
> Hugo van der Kooij wrote:
>> My aim is to write a custom function to detect links to executables and
>> such and mark then with some points. Then take it one level up and
>> pickup the samples for further analyses before they are taken offline
>> The first bit can be done with just few lines in SA just as well. It is
>> the second part that will help me get malware samples as soon as
>> possible that can not be done in SA.
> I don't think you'd need a CustomFunction for either part of this - you
> can do it all within SA and the latest version of MailScanner.
> uri TRAP_LINK_EXEC /\.(?exe|pif|scr)$/
> score TRAP_LINK_EXEC 0.01
> describe TRAP_LINK_EXEC URI links that end in .exe .pif or .scr
> Then use the new 'SpamAssassin Rule Actions' feature in MailScanner:
> SpamAssassin Rule Actions =
That will store the URL but by the time I can look at that URL to fetch
the file the infected system might be cleaned out allready. So I need to
automate this a bit further.
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the MailScanner