[SURBL-Discuss] RFC: Storm URI IPs to XS list?

Kevin A. McGrail kmcgrail at pccc.com
Sat Aug 18 20:45:50 CEST 2007


> Yes I understand you completely - and I still say leave it blocked. If
> someone is running a server on a dynamic IP then they should really be 
> using
> dyndns or similar so instead of giving out URL's like http://123.123.12.1 
> or
> similar they could give people a URL like http://dynamicexample.dyndns.org
> which also would not have the disadvantage of having to tell people a
> different URL every time their IP changes. Anyone simply using an IP in a
> link on a dynamic IP needs to learn how to do it properly. I don't see why
> WE (email admins etc) should make allowances for the uninformed.

If you are saying this, then you don't need a list.  Just use the 
__KAM_IPHTTP rule below as a standalone rule with a score of your choice. 
No need for an RBL.

#RECENT RASH OF VIRII/TROJAN PAYLOADS USING GREETING CARD NOTICES - IPHTTP 
IDEA BY STEPHEN FORD
body            __KAM_CARD1 
/(worshipper|friend|Neighbou?r|partner|mate|colleague|member|worshipper|cousin|pal|brother|friend|father|daughter|son|nephew)(\(.{0,35}\))? 
has (sent you|created) 
(?:an|a)?\s*(?:funny|love|post|greeting|birthday|animated|musical|holiday|love|e)\s*(e|post)?-?card/i
body            __KAM_CARD2     /enjoy your awesome card|Click on your 
.{0,15}card('s)? (link|direct www address) below|To see your custom 
.{0,15}card, simply click on the (link below|following)|(as you can see on 
the ecard)/i
body            __KAM_CARD3     /I['`]m in hurry, but i still love you.../i


body            __KAM_IPHTTP 
/https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i

describe        KAM_CARD        Trojan or Virus Payload from fake ecard 
notice
score           KAM_CARD        4.5
meta            KAM_CARD        (__KAM_CARD1 + __KAM_CARD2 + __KAM_CARD3 + 
__KAM_IPHTTP >= 3)

Regards,
KAM 



More information about the Discuss mailing list