On Sep 19, 2011, at 19:04, Bowie Bailey <bowie_bai...@buc.com> wrote:
> On 9/19/2011 11:46 AM, Michael Orlitzky wrote:
>>> A hostname cannot be all digits and except when the IP is used there
>>> will be a TLD, so if you see a pattern such as
>>>
>>> http:// 123456789/ cgi-bin/innocent_code.pl
>>>
>>> (Ignore the spaces they are there to let this post slip by most antispam
>>> detection) then you can surmise it is an attempt at obfuscation.
>> I don't get it, what's the pattern we're looking for? An IP address is a
>> number. Any way you specify it is fine. 123456789 is no more obfuscated
>> than whatever it would be if you converted it to dotted quad. They both
>> represent the same number.
>>
>> If you're trying to match a text pattern against an integer, you're
>> doing it wrong.
>
> He is not trying to match the IP address. He is trying to match an
> unusual way of presenting the IP address that seems to occur primarily
> in spam.
>
> Whether this is something that should be done in ClamAV or would be
> better done by something like SpamAssassin is another question altogether.
>
Try adding this to a local.pdb file in your dbdir (untested):
R:[0-9]{1,10}(\.[0-9]{1,10}){0,2}:.+
Of course you can improve the regex to detect hexadecimal encoded numbers, etc.
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml