[SURBL-Discuss] RFC: Storm URI IPs to XS list?
Kevin A. McGrail
kmcgrail at pccc.com
Sat Aug 18 20:45:50 CEST 2007
> Yes I understand you completely - and I still say leave it blocked. If
> someone is running a server on a dynamic IP then they should really be
> using
> dyndns or similar so instead of giving out URL's like http://123.123.12.1
> or
> similar they could give people a URL like http://dynamicexample.dyndns.org
> which also would not have the disadvantage of having to tell people a
> different URL every time their IP changes. Anyone simply using an IP in a
> link on a dynamic IP needs to learn how to do it properly. I don't see why
> WE (email admins etc) should make allowances for the uninformed.
If you are saying this, then you don't need a list. Just use the
__KAM_IPHTTP rule below as a standalone rule with a score of your choice.
No need for an RBL.
#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP
IDEA BY STEPHEN FORD
body __KAM_CARD1
/(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|friend|father|daughter|son|nephew)(\(.{0,35}\))?
has (sent you|created)
(?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|e)\s*(e|post)?-?card/i
body __KAM_CARD2 /enjoy your awesome card|Click on your
.{0,15}card('s)? (link|direct www address) below|To see your custom
.{0,15}card, simply click on the (link below|following)|(as you can see on
the ecard)/i
body __KAM_CARD3 /I['`]m in hurry, but i still love you.../i
body __KAM_IPHTTP
/https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i
describe KAM_CARD Trojan or Virus Payload from fake ecard
notice
score KAM_CARD 4.5
meta KAM_CARD (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 +
__KAM_IPHTTP >= 3)
Regards,
KAM
More information about the Discuss
mailing list